Facing an unprecedented and outrageous record penalty of $230 million for a 2018 data breach – British Airways has become the unwanted precedent for Europe’s new data privacy regulations.
It had to be British Airways – In a historically outrageous penalty, UK’s national airline could be set to be made a precedent out of with an astronomical $230 million fine for data leaks of its customers.
The breach of its security systems took place last year when the airline had said that hackers had made a “sophisticated, malicious criminal attack” on its website. The penalty if levied, will be at par with the EU General Data Protection Regulation (GDPR) which came into force in 2018, taking the responsibility of data privacy to a whole new level.
The Information Commissioner’s Office (ICO) stated that the BA penalty was the biggest ever handed out and first to be made public under new rules. The airline said it was “surprised and disappointed” by the penalty.
British Airways penalty is the biggest ever handed out and first to be made public under new rules.
The breach incident
As per the ICO, the breach happened after customers on BA website were diverted to a fake site where cybercriminals were able to get their hands on the private data of approximately 500,000 users. ICO’s Commissioner Elizabeth Denham said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience.”
As per the new law, corporations entrusted with personal data of customers has the responsibility to keep in safe from malicious attackers. ICO scrutinizes companies to check if appropriate steps are to protect fundamental privacy rights.
Customers on BA website were diverted to a fake site where cybercriminals breached data of approximately 500,000 users.
The British Airways data leak was first revealed in September 2018, where the airline had stated that the breach had impacted roughly 380,000 transactions. It however said that stolen data didn’t include travel or passport details.
What was stolen?
The hacking stated in June 2018, as per the ICO. It said that the information compromised was wide-ranging details about users. The factors it opined were poor security arrangements including log in, payment card, and travel booking details as well name and address information.
British Airways responded saying that details stolen included names, email addresses, credit card numbers, expiry dates and the three-digit CVV codes. However, the airline had denied storing CVV numbers.
Details stolen included names, email addresses, credit card numbers, expiry dates and the three-digit CVV codes.
The new data protection rules
EU GDPR was the single biggest change in the outlook of law agencies on data breaches. The new rules make it compulsory that a breach is reported to the information commissioner. The maximum penalty in case of negligence was out at 4% of turnover.
In British Airways’ case, the penalty amounts to 1.5% of its 2017 turnover. Although much less than the maximum penalty, it is still outrageously 367 times more than the previous record $625,000 fine imposed on Facebook for the Cambridge Analytica data scandal, which was the maximum fine as per the earlier data protection regulations.
Although much less than the maximum penalty, BA fine is 367 times more than the previous record £625,000 fine on Facebook for the Cambridge Analytica data scandal
A clear message to Major Corporations
It can be argued that the European Data Privacy watchdog could have taken a more cautious approach at the onset of penalizing as per the new laws. But the sheer unprecedented amount of the fine is a wakeup call to the world corporations and their cybersecurity teams.
Generally, the person heading cybersecurity are designated Chief Information Security Officers or CISOs. The step is a firm caution to companies to shore up their act and take the issue of customer privacy with due gravity.
British Airways could have had it worse if the fine was put at maximum 4%, which would amount to $625 million.
A loud and clear message – take the security of customer data utmost seriously, or pay up severe penalty if you are breached. While the amount is sure raising eyebrows, it can also be argued that British Airways could have had it worse if the fine was put at maximum 4%, which would amount to $625 million.
What can British Airways do about the fine?
The airline has 28 days to appeal. And Chief Executive of the parent company IAG, Willie Walsh stated that BA will take it up with the ICO, “”We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals,”
British Airways CEO Alex Cruz has said that the decision has “surprised and disappointed” the airline, “British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft.”
It should be noted that ICO revealed that British Airways was in full cooperation during its findings and had made appropriate improvements to its security framework.
By: Chitresh Sehgal, Senior Editor, Dkoding Media