Ride the Lightning

British Airways Faces Record Fine After Data Breach

July 11, 2019

The New York Times reported on July 8th that British authorities have said that they intend to order British Airways to pay a fine of nearly $230 million for a data breach last year, the largest penalty against a company for privacy lapses under a the new General Data Protection Regulation (GDPR).

Poor security at the airline allowed hackers to divert about 500,000 customers visiting the British Airways website last summer to a fraudulent site, where names, addresses, login information, payment card details, travel bookings and other data were taken, according to the Information Commissioner’s Office, the British agency in charge of reviewing data breaches.

In a statement British Airways said it was “surprised and disappointed” by the agency’s finding and would dispute the judgment. As you will surmise, that means that the decision is not yet final as to the amount.

The penalty signals a new era for companies that experience large-scale data breaches. Frustrated that businesses were not doing enough to protect people’s online information, European policymakers last year adopted the GDPR, which allows regulators in each European Union country to issue fines of up to 4 percent of a company’s global revenue for a breach. And by acting against an iconic British brand, officials showed that enforcement would not be limited to American-based tech companies, which have been seen as a primary target.

Previously, fines by the Information Commissioner’s Office were capped at 500,000 pounds, or about $625,000. That was the fine it imposed on Facebook last year for allowing Cambridge Analytica to harvest information on millions of users without their consent. Facebook and Google are among other companies currently under investigation by the European authorities over breaches of the GDPR.

Europe’s experience is being closely watched by governments around the world, including in the United States, where policymakers have pursued new privacy legislation that require companies to be more transparent about how data is collected and used. And while federal privacy regulation in the United States has gained momentum, no one expects it to be enacted anytime soon.

Since the European data-privacy law was enacted in May last year, few penalties have been announced. In January, French regulators fined Google 50 million euros, or about $56 million, for not properly disclosing how data was collected across its services.

The threat of hefty fines is intended to encourage companies to invest in cybersecurity and be more judicious about the user information they collect and store. Companies have for years gathered details about people as a way to create better profiles about them to sell more products and services.

“It gives a sense of what the risk may be for companies involved in far greater breaches,” said Johnny Ryan, the chief policy officer at Brave, a privacy-focused web browser. “Regulators may, finally, be starting to get active.”

The large proposed fine against British Airways is thought to be based on the fact that this was an avoidable breach caused by sloppy security and organizational practices.

As noted above, the British decision to fine British Airways £183.5 million, worth about 1.5 percent of the airline’s annual revenue, is not final. The agency said it would “carefully consider” responses from the airline and others to its penalty before issuing a final decision.

It seems to me that, unless the fines are hefty enough to cause consternation, nothing will change.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email:    Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson