[BreachExchange] British Airways faces record-breaking GDPR fine after data breach

Destry Winant destry at riskbasedsecurity.com
Mon Jul 8 10:00:00 EDT 2019 

https://www.theverge.com/2019/7/8/20685830/british-airways-data-breach-fine-information-commissioners-office-gdpr

The UK’s data watchdog has announced plans to fine the airline British
Airways a record £183 million over last year’s data breach. The
Information Commissioner’s Office (ICO) saidthat “poor security
arrangements” at the company lead to the breach of credit card
information, names, addresses, travel booking details, and logins for
around 500,000 customers. The fine would be the largest the ICO has
ever issued, BBC News reports, far more than the £500,000 fine against
Facebook for the Cambridge Analytica scandal that affected millions.
British Airways will now have 28 days to appeal the ruling before it
is made final.

In a statement, the Information Commissioner Elizabeth Denham said
that the loss of personal data is “more than an inconvenience” and
said that companies should take appropriate steps “to protect
fundamental privacy rights.”

“People’s personal data is just that – personal. When an organisation
fails to protect it from loss, damage or theft it is more than an
inconvenience. That’s why the law is clear – when you are entrusted
with personal data you must look after it. Those that don’t will face
scrutiny from my office to check they have taken appropriate steps to
protect fundamental privacy rights.”

The fine comes less than a year after the regulator fined Facebook
just £500,000 for the Cambridge Analytica scandal, which affected as
many as 87 million users. If that sounds small to you, that’s because
it most definitely was. However, Facebook’s fine was the maximum legal
amount allowed under the UK’s previous data privacy regulation, the
1998 Data Protection Act. At the time regulators said it would have
been “significantly higher” under the new GDPR rules. GDPR allows a
company to be fined a maximum of 4% of its worldwide turnover; BA’s
fine amounts to 1.5 percent of its 2017 revenue.

Responding to the news, British Airways’ chairman and chief executive
Alex Cruz said that the company was “surprised and disappointed” by
the ICO’s decision, and added that the company has found no evidence
of fraudulent activity on accounts linked to the breach. The ICO notes
that the company cooperated with its investigation, and has made
security improvements since the breach was discovered.

More information about the BreachExchange mailing list