At last, the ICO has shown some teeth. It is well publicised that under the GDPR, introduced in May 2018, regulators can fine companies up to €20mn or 4% of the company’s global turnover. Up to now, however, GDPR fines have been modest, leading to accusations that the regulators’ bark is worse than its bite.
That seems to have changed. The ICO has issued a notice of its intention to fine British Airways £183.39m for infringements of the General Data Protection Regulation.
Dubiniecki: If you have a website and you accept payments through your site and you don’t have a techie or possibly two checking your scripts everyday you deserve to get hacked! Script attacks are very de jour these days.”
The fine relates to an incident in part involving user traffic to the British Airways website being diverted to a fraudulent site. “Through this false site, customer details were harvested by the attackers. Personal data of approximately 500,000 customers were compromised in this incident,” said the ICO.
“The amount of data compromised was huge,” suggested Jake Moore, Cybersecurity Specialist at ESET. “It is without doubt that it would have ended up in criminal hands so therefore it should not be taken lightly. The sort of data taken could have been used for card fraud or even identity theft and with as many as 380,000 transactions skimmed, this is an immense amount of information personally identifiable.”
“Given that BA had two years to ensure that it had the necessary organisational and technical measures in place before the end of the transition period of the GDPR on 25 May last year,” suggested Ardi Kolah, Executive Fellow, Henley Business School. “The ICO decision will send a clear message to all other companies that there is no room for excuses and that it’s always going to be more cost effective to comply than to be in breach or cut corners with data protection, privacy and security and risk punitive sanctions and fines.”
“This wasn’t an inevitable cyber attack” said Abigail Dubiniecki, a speaker and educator, and privacy specialist at My Inhouse Lawyer said: The ICO’s press release makes it clear that BA lacked appropriate technical and organisational measures to prevent such an attack or mitigate the impact of such an attack. She added: “If you have a website and you accept payments through your site and you don’t have a techie or possibly two checking your scripts everyday you deserve to get hacked! Script attacks are very de jour these days.”
GDPR anniversary: has the regulation backfired? What next?
BA is appealing, against the fine.
BA’s turnover in 2018 was £13bn, so that work’s out at around 1.5% of that. Then again, it could have issued a fine even greater. GDPR fines are not merely limited to a given percentage of a company’s worldwide turnover, but to its parent company’s turnover. In 2018, IAG, BA’s parent, saw turnover of €24.4bn, or around £22bn, so while the fine is massive, it still works out less than 1% of IAG’s turnover.
Google’s GDPR fine, why was it so low?
Under GDPR, companies can be fined up to four per cent of turnover for regulatory violations. In the case of Google, that would be roughly $3.6 billion. Yet, Google’s GDPR fine announced on January 21st was barely one hundredth of that level, why so low?
There are in fact two tiers of fines that can be levied under GDPR, up to €10m or 2% of turnover, or up to €20m or 4% of turnover.
Jake Moore, added: “There was always going to be a hefty guinea pig fine from the ICO to mean business showing that GDPR fines are not just talked about. Incredibly, this still isn’t the maximum fine they could have been handed either.”
Abigail Dubiniecki raised a question over the time delay in detecting the breach. “This wasn’t an inevitable cyber attack, ” she said. “The ICO’s press release makes it clear that BA lacked appropriate technical and organisational measures to prevent such an attack or mitigate the impact of such an attack. The incident was reported in September 2018 though it was believed to have begun in June 2018. Why did it take so long to detect the breach?”
She continued; “The 72-hour breach reporting requirement is tough for a reason. It’s meant to push organisations to do the hard work upfront: adequately protect the data. Be ready to identify and swiftly address anomalous activity (like malicious scripts). And stop the bleeding once it happens. It takes a lot of pre-work. And sadly website security is a particularly bad yet overlooked area of cybersecurity. Geoff White, author of The Dark Web, stated a cyber conference in November 2018:
“Security obligations under GDPR including having appropriate technical and organisational measures in place to adequately protect the data. Whether is is appropriate is commensurate with the risk. Travel details, payment info, etc. are pretty sensitive. The ICO’s key finding was they failed in that requirement, but I suspect the delay in identifying that there even was a breach certainly didn’t help. It was effectively an admission that they didn’t have appropriate measures.”
Information Commissioner Elizabeth Denham said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t, will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”