British Airways faces record-breaking GDPR fine after data breach

Illustration by Alex Castro / The Verge

The UK’s data watchdog has announced plans to fine the airline British Airways a record £183 million over last year’s data breach. The Information Commissioner’s Office (ICO) said that “poor security arrangements” at the company lead to the breach of credit card information, names, addresses, travel booking details, and logins for around 500,000 customers. The fine would be the largest the ICO has ever issued, BBC News reports, far more than the £500,000 fine against Facebook for the Cambridge Analytica scandal that affected millions. British Airways will now have 28 days to appeal the ruling before it is made final.

In a statement, the Information Commissioner Elizabeth Denham said that the loss of personal data is “more than an inconvenience” and said that companies should take appropriate steps “to protect fundamental privacy rights.”

“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

The fine comes less than a year after the regulator fined Facebook just £500,000 for the Cambridge Analytica scandal, which affected as many as 87 million users. If that sounds small to you, that’s because it most definitely was. However, Facebook’s fine was the maximum legal amount allowed under the UK’s previous data privacy regulation, the 1998 Data Protection Act. At the time regulators said it would have been “significantly higher” under the new GDPR rules. GDPR allows a company to be fined a maximum of 4% of its worldwide turnover; BA’s fine amounts to 1.5 percent of its 2017 revenue.

Responding to the news, British Airways’ chairman and chief executive Alex Cruz said that the company was “surprised and disappointed” by the ICO’s decision, and added that the company has found no evidence of fraudulent activity on accounts linked to the breach. The ICO notes that the company cooperated with its investigation, and has made security improvements since the breach was discovered.

Comments

Great, about time companies are punished for not managing our data properly

This has taken far too long, I’m shocked at how easy we are on companies that are this negligent. Of course it’s "a complex Computer Science problem" as people tend to call it, but companies like Equifax, British Airways, Yahoo or the OPM should not be allowed to hide breaches under the rug.

Especially Equifax. They automatically get everyone’s IDs and there’s no way to opt out unless you deliberately take pains to spend your real life in "incognito mode".

Yes its great, the fine is actually at a level where it will hurt the company. It should make other companies take it seriously that haven’t so far.

Data such as?
Credit cards? At what point are we going to blame credit card issuers for not required 2 or 3 factor authentication for charges to your card?
SSNs?
At what point are we going to blame credit reporting agencies for not requiring 2 or 3 factor authenticaiton for opening accounts and unlocking credit history?

Regardless of how valid your points may be, none of that absolves the company holding the personal data from keeping it secure.

and added that the company has found no evidence of fraudulent activity on accounts linked to the breach

That is completely besides the point.

The only thing that irks me is that Facebooks fine was so small compared to this one, yet the effects far, far worse

As stated in the article that was under the old data protection act not GDPR. Unfortunately the old one (from 1998) wasn’t really designed for the sheer scale of internet age data breaches.

I would argue the British Airways hack was worse given that credit card information and login details were leaked (meaning an attacker can buy a trip around the world on your dime).

GDPR was passed only End of May 2018.
I am sure next time Facebook will pay more (if it is enough to make a dent in their bottom line remains to be seen though)

Up to 4% of global turnover?

That $2.23B against their 2018 revenue.

This is the way things should work globally. Hopefully the entire fine sticks and isn’t appealed down to some paltry slap on the wrist.

I don’t really like this because punishments like this:

  1. Effectively have jurisdiction outside the EU – the punishments were based on the total number of people effected, regardless of where they live, and are based on the worldwide revenue of the company, not just what they make in the EU
  2. All that money goes straight to the EU and not the people who were actually harmed by the security breach
  3. It doesn’t appear that the significance of the data has much bearing on the fine

Regardless of how much money you put into security and how much of an effort you put into protecting that data, if you can be fined these enormous sums of money, it could easily put a business with very low margins out of business altogether. A malicious state actor, like Russia, could systematically use state-level exploits to breach the most secure data of Western companies that are very close to going under and the EU will gladly put them out of their misery.

A company like Equifax should have been charged with fines much higher than this, but I’m not sure if punishments like this are entirely warranted in every situation.

1.) Global turnover is a trivial number to obtain for publicly traded companies. Revenue inside EU is a much harder task – especially for the cases GDPR is most concerned about. For example, assume 100% of FB users are in EU and 0% of advertisers are. What is the FB’s revenue for EU then? 100% because ads were shown and tailored to EU users, or 0% because no EU company paid anything to FB? Similar thing goes for the number of affected individuals and whatnot.

2.) True, but distributing that money to affected individuals is nearly impossible without further invasion to people privacy. Plus a lot of fine is punitive.

3.) Uh, credit card info (especially tied to name and address) is about the most serious data you have. It is trivial to exploit with serious consequences.

Oh really? An American dares complain about some other country’s laws’ extraterritoriality? Are you effing kidding me?

I love this. It’s been my wish that the NSA would be converted to a R&D + Regulatory agency, instead of a straight up spying one. Proliferate security standards downwards from government agencies, parties, large corporations, to consumers. Mandate a time frame for them to be put in place and do random surprise audits.

I consider data breaches to be like economic inflamation. It should be treated as such, keeping capital within its intended locations. Fraud insurance is rent seeking on standard transactions. We should be trying to remedy it. First step is to lesson the risk of fraud. Same as with automated driving and better crash ratings, lessening the cost of insurance premiums.

So basically the UK is boasting its highest fine ever, against one of its own companies, based on a European directive, a system that the UK is increasingly eager to leave… Love the irony.
I wonder though: what will happen to Ms Denham’s Commission when Brexit is effective? Isn’t the UK supposed to rewrite large swaths of legal texts to separate its law from the EU’s? Considering the awe-inspiring mess there, I find hard to believe they’ve gone very far… have they?

I believe the idea is they’ll pass one law that assimilates all EU law into British law, with a few immediate modifications if there’s anything particularly upsetting to Brexiters. Then they spend the next however many decades going through it all slowly superseding it with updated British law equivalents.

Then there’s the murky area of the EU dictating certain jurisdictions if the UK wants to continue a working relationship. Something like GDPR might end up being EU controlled and mandated even in an independent EU because of whatever trading arrangement is agreed…

Either way the term clusterf**k comes to mind!

Thanks for the clarification, very nice of you. I remember reading it was going to be (yet another…) mess, but that must have been at the beginning when things were even less clear.
Clusterfuck is a really nice term, I think we need to invent a new one…

View All Comments
Back to top ↑