Just two weeks ago we reflected on the one-year anniversary of the General Data Protection Regulations (GDPR) and highlighted how the promises of imposing fines has become a reality.
This was reiterated this week when we learned how far the Information Commissioner’s Office would be prepared to take it as they slapped British Airways (BA) with a record £183 million fine for last year’s breach of its security systems. It’s the biggest penalty handed down by the ICO.
Under GDPR rules companies can be now be fined a maximum penalty of 4% of turnover. While the BA penalty is the largest one imposed to date, it represents just 1.4% of turnover so if the ICO had wanted to, the fine could have been much bigger.
The fine far supersedes the £500,000 handed down on to Facebook for its role in the Cambridge Analytica scandal. Credit reference agency Equifax was also fined £500,000 after it suffered a cyber-attack in July 2017, which affected 146 million people globally.
According to a BBC report, other companies that have had fines slapped on them for data breaches include Sony (£250,000), TalkTalk (£400,000) and Carphone Warehouse (£400,000), to name but a few.
So, what exactly happened at BA to merit such a penalty? Let’s give you a brief reminder. In September 2018, BA admitted that hackers had embarked on a “sophisticated, malicious criminal attack’ on its website which resulted in 500,000 customers’ details being harvested by hackers as they were diverted to a fake site.
The ICO relayed in a statement issued yesterday: “Personal data of approximately 500,000 customers were compromised in this incident, which is believed to have begun in June 2018.”
The ICO said its investigation had uncovered different types of information that had been compromised by poor security arrangements at the company, which included log in, payment card and travel booking details as well as name and address information.
Under GDPR rules, companies are meant to keep all these details safe. “People’s personal data is just that – personal. When an organization fails to protect it from loss, damage or theft it is more than an inconvenience.
“That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights,” said Information Commissioner, Elizabeth Duncan.
While the ICO highlighted that BA have co-operated with the investigation and made improvements since the vicious attack it is clear that the airline has closed the door after the horse has bolted.
The fine levied on BA is an astonishing one and the company is no-doubt stunned by the ICO’s decision, which appears to show that is by no means scared of wielding the new powers that it’s been given.
It’s set to create many sleepless nights in the weeks, months and years ahead for any department head in charge of data protection and cyber-security. Hackers may be sophisticated, and attacks may be vicious but there’s no wiggle room for leaving the door open for any form of attack.
This is why it’s so vital to have experts looking at your company’s cyber-security strategy. An outsider, in particular, may spot some mistakes that have not been identified internally.
However, hiring a data protection officer on a full-time basis can be quite expensive. This is why we, at SchemeServe, have created a solution whereby companies can hire out SchemeServe’s DPO for a fraction of the cost. There’s no harm in having an outsider’s point of view, especially now when a mistake can end in a costly fine.