back to article UK privacy watchdog threatens British Airways with 747-sized fine for massive personal data blurt

The UK Information Commissioner's Office has warned British Airways it faces a whopping £183.39m fine following the theft of customer records from its website and mobile app servers. The record-breaking fine - more or less the lower end of the price of one of the 747-400s in BA's fleet - under European General Data Protection …

      1. Doctor Syntax Silver badge

        Re: Great solution

        Therein lies a problem. If a sufficient number were knowledgeable enough to use blockers there's be a sort of herd immunity in that the site owners would have to make a choice between tightening up or losing custom.

        1. mikeo
          Stop

          Re: Great solution

          "If a sufficient number..."

          Which is highly unlikely to ever happen. Ever asked a non-techie to use NoScript? Hard enough convincing them to use unique passwords and patch their shit which is of far greater benefit. Blocking scripts, while interesting and useful in some cases, is not a workable solution.

          1. Doctor Syntax Silver badge

            Re: Great solution

            "Blocking scripts, while interesting and useful in some cases, is not a workable solution."

            It is for those who use it.

            1. Anonymous Coward
              Anonymous Coward

              Re: Great solution

              no, blocking scripts is not a workable solution for certain scenarios, and I hate to say this, because I use half a dozen (or more) ad blockers, on top of scrip-blocking. But when I buy (not search for!) an airline ticket, or any other product or service online, I go to the old ugly IE. I just don't have time / patience to chase my bank or shop over the phone, when my payment, put through well-defended firefox, comes up with an "oops, something went wrong" page.

              1. 0laf Silver badge
                FAIL

                Re: Great solution

                Yep awful but true.

                Banking websites as well. Many unusable without turning off script and tracking blockers.

    1. Elregouk

      What planet do you all live on? Javascript is a part of the modern internet. Fucking get a grip. Put your tinfoil hats away

      1. Anonymous Coward
        Anonymous Coward

        We live in a place where we pick what we like to be exposed to and what actions we do that will affect our lives, like what to eat, who to meet, and which javascript to load.

        Unlike the common people like you who just blindly put their trust on random strangers and hope you don't get F*cked and Gripped, when in reality real people are getting F*cked and Gripped for the very same mistake.

        1. Elregouk

          Common people?? Arrogant wanker.

  1. Vivid Professional

    BA dont have any B747-8's.............. They have B747-436's but defo not a B747-8

  2. MJB7

    GDPR

    Ah-ha! Now we start to see cases actually *under* GDPR. If the fine goes through at anything like this level, boards are going to start paying rather more attention to whether they actually need that data, and if so, how to protect it.

  3. Anonymous Coward
    Anonymous Coward

    Good

    Let this be a lesson to all large companies. Put money into securing your shit, or we'll take it off you as a massive penalty when you allow yourself to be hacked, and you won't get a bonus!

    1. Fred Dibnah

      Re: Good

      I'm pretty sure bonuses and dividends will be unaffected.

      1. Anonymous Coward
        Anonymous Coward

        Re: Good

        Bonuses - hell no.

        Dividends - likely, though not included in the latest dividend (£700M paid today, by the way...) since nothing has been fined yet. If that £183M needs to be paid in a later day, it will affect the dividend and probably the stock price as well.

        Year-over-year the stock has lost almost 40% of its value, which may make some investors tad nervous. This tanking probably has very little to do with this data blurt, but heads may roll in any case.

  4. codejunky Silver badge

    Hmm

    The data was stolen from BA. BA have been stolen from and now they will be fined for being the victim of theft. Cooperating with the investigation and the attackers seem to be known as a criminal group who do this.

    Just reads a little odd. Maybe BA did bad. But I must have missed that bit.

    1. Phil O'Sophical Silver badge

      Re: Hmm

      It's not a question of blame, or victim/thief, it's purely one of responsibility. BA took its customers' data and failed to protect it adequately. The buck stops with them, and they get the fine.

      1. 0laf Silver badge
        Mushroom

        Re: Hmm

        Eh?

        If a bank took your valuables, charged you for the privilege of having an account to store these things and then left the safe door open letting evreything be stolen one evening would you be thinking "aw poor bank they didn't mean it to happen, never mind about my precious things you look sad". I don't think so.

        As someome else has pointed out if you do everything you should have done and data is still stolen from you then in all likelyhood you will not be fined by the ICO.

        BA were incompetent and thoroughly deserve a multimillion £ kick in the nads. I'd also add IMHO they are bloody incompetent as an airline as well.

    2. STOP_FORTH Silver badge
      Facepalm

      Re: Hmm

      BA dun incompetent. If BigCo wants your private data they are supposed to look after it properly. GDPR isn't hard to understand, people just find it hard to do. Or they can't be bothered.

    3. Tom 38

      Re: Hmm

      BA haven't been stolen from, because they didn't own the data that was taken. BA have been fined because they were unreliable guardians of that data.

    4. codejunky Silver badge

      Re: Hmm

      I understand the replies I am getting, that BA was to be responsible for the data. But the data can always be got to in some way or other and so anyone can be stolen from (physical or digitally) as proven every day.

      I have no problem with a fine for BA if they didnt do the expected things to protect the data (and that might be the case here, I just didnt see it) but to be fined because you were stolen from, even if its other peoples property stolen from your possession, seems harsh.

      I am not against strong protection of user data. But if we want users then data will be collected and there is always a possibility of compromise. All you can do is best practices.

      1. Tom 38

        Re: Hmm

        But if we want users then data will be collected and there is always a possibility of compromise. All you can do is best practices.

        Which they didn't do, which is why they get the big fine, and about fucking time.

    5. Charlie Clark Silver badge

      Re: Hmm

      It's negligence: British Airways failed to protect customers' personal data correctly.

      GDPR makes it quite clear that companies that can demonstrate that they have followed the recommendations of the data protection regulators have little to fear. In essence, GDPR limits their exposure to cases brought as a result of their behaviour, as courts can point the settlement and say: dealt with.

      By contrast look at some of the settlements across the pond. Boeing has set aside $ 100 million as compensation for the US victims of two plane crashes and Equifax is subject of at least one class action.

      However, at the end of the day, the fine sounds worse than it actually is, because it is a charge that can be offset against tax.

      1. Anonymous Coward
        Anonymous Coward

        Re: Hmm

        By contrast look at some of the settlements across the pond. Boeing has set aside $ 100 million as compensation for the US victims of two plane crashes and Equifax is subject of at least one class action

        It seems disproportionate to me. I don't know the details but it was not the case that BA took no security measures and once they knew there was an issue they did respons albeit that the measures and response may have been inadequate and/or tardy. The fine seems orders of magnitude more than reasonable and thsi is reinfirced by the comaprison with Boeing.

        Boeings provision is half teh fine against BA. It is quite clear that they designed and manufactured an aircraft which was unsafe. The issue was ,even given allowance for hindsight, of such an obvious nature it should have been identified and there is evidence that the information given to the regulator was misleading and innacurate. Hundreds of people have died as a result of this and yet the provision made is only half the amount that BA have been fined as a result of being victims of a criminal attack for which they were not responsible and in which no one was injured or likely to be injured let alone killed.

        There is a massive disconnect between these two numbers.

  5. Anonymous Coward
    Anonymous Coward

    BOAC

    Better Order Another Certificate

    1. werdsmith Silver badge

      Re: BOAC

      That certificate expired in 1974.

      1. Fred Dibnah

        BCal

        Better Call a Lawyer.

  6. MJI Silver badge

    Also worrying

    They are planning to buy some 737s.

    Best avoided then, what a fall over the years.

  7. amanfromMars 1 Silver badge

    It is almost as if it were criminal .......

    Is the fine figure .... £183.39m ..... an arbitrary confection?

    Who decided and who signed off on the figure and who will be spending the windfall and on what are always awkward questions which are hardly ever answered truthfully.

    1. Sadie

      Re: It is almost as if it were criminal .......

      It's a percentage of their Worldwide income IIRC - Maximum they can fine is 4%

      1. theblackhand

        Re: It is almost as if it were criminal .......

        "The total proposed fine of £183.39 million would be the biggest penalty ever issued by the ICO​.

        It is the equivalent of 1.5% of BA's global turnover for the financial year ending December 31 2018."

        Ref: https://www.standard.co.uk/news/uk/british-airways-fined-more-than-180m-for-customer-data-breach-a4184376.html

  8. Anonymous Coward
    Anonymous Coward

    28 days later... the fine has been reduced on appeal to £1.83 and it’s business as usual and trebles all round at BA. I hope I’m wrong.

    1. Charlie Clark Silver badge

      No need: the fine can be declared as cost and, hence, offset against tax. Someone goes for early retirement and then it's G&T's in the C-Suite later.

      More important, however, will be the precedent set by the ruling.

      1. Stu J

        Pretty sure fines aren't tax-deductible...

        Edit:

        https://www.gov.uk/hmrc-internal-manuals/business-income-manual/bim42515

        "Regulatory bodies

        Where a trader incurs a liability to a regulatory body on revenue account that is broadly intended to cover the regulator’s costs of performing its duties in relation to the trading activities, such costs will normally be allowable even where the trader has committed a breach of regulations. However, should a regulatory body impose a penalty for breach of regulations, or should a penalty or fine become payable as a result of a prosecution for a trader’s breach of regulations, this will not be an allowable expense (see McKnight v Sheppard [1999] 71TC419)."

        1. AVee
          Thumb Up

          To get a car analogy in: If you replace your tires because they are worn below the minimum thread depth, the costs of the tires are deductible, regardless of whether you replaced time on time of to (way) late. However, the fine you get for driving with worn tires is not deductible. That seems remarkably in line with common sense...

          Thank you for clearing that up, to many people here seem to think companies can just deduct fines where clearly the can't.

        2. Charlie Clark Silver badge

          For multinationals there is almost always a way. VW would have gone bankrupt by now otherwise.

  9. Yet Another Anonymous coward Silver badge

    Remember the good old days

    When BA was the one doing the hacking and then walked away free because the computer running other airline's data was on their premises and so it wasn't hacking

  10. JoeySter

    It's not entirely clear what the breach actually was. It sounds like more of a client side attack than a breach of internal data. Something as simple as HTML/HTTP browser settings?

  11. andy 103
    Facepalm

    Trivial to mitigate

    The article https://www.theregister.co.uk/2018/09/11/british_airways_website_scripts/ points out how attacks like this work.

    In essence a js file hosted on BA's own domain was modified so it posted details to a third party domain. The fact the js file could be modified on their production server is in itself scary, but how can you protect against that?

    An easy way is just to monitor the filesystem for changes to any .js file, say every hour. Perhaps diff it against the master copy in their version control. If there are differences email the entire development team as that safeguards against it being an inside job.

    A couple of mins work, save several million quid in fines and pissing off a load of (lost) customers. Too simple perhaps?!

    1. Charlie Clark Silver badge

      Re: Trivial to mitigate

      but how can you protect against that

      One of the standard setting for any webserver is that its user cannot write to any of its files so that it exists in an effectively read-only file-system. This should be standard practice as it was the goto exploit in the days of CGI.

      But that itself is not the reason for the size of the fine. There was systematic failure across the line, including on how the data was stored.

    2. Anonymous Coward
      Anonymous Coward

      Re: Trivial to mitigate

      "The fact the js file could be modified on their production server is in itself scary, but how can you protect against that?"

      Containers and immutable filesystems?

    3. Anonymous Crowbar

      Re: Trivial to mitigate

      Any kind of FIM should have picked this up.

  12. EnviableOne

    Regulations

    The GDPR wording talks about turnover of the Undertaking, which would extend to the whole of IAG, especially if IT systems are managed as a group resource.

    this would allow the fine to grow

    183m is a baby of a fine, and considering the circumsatnces, size of breach and the Blue Chip status of the BA name, not unreasonable.

  13. SVV

    Such scripts are often used to support marketing and data tracking functions or running external ads

    So they spent their time and money trying to monetise personal data, rather than trying to secure personal data. And people are moaning that they've now had to pay a fine for all the damage it caused?

    Serves them right for seeing personal data as an opportunity rather than a responsibility.

  14. Anonymous South African Coward Bronze badge

    What will happen should you make heavy use of outsourced IT and outsourced IT slips up big-time causing you to be slapped with a major GDPR breach and fine?

    1. Korev Silver badge

      I'd love to know if the "savings" from the above are greater than the fine...

      1. Anonymous Coward
        Anonymous Coward

        So called "savings" from an off shore model is a fad and only people who believe it are the excel spreadsheet experts that care about nothing else but numbers, it's rendering them good results, real question is: will they ever learn their lesson?

    2. Anonymous Coward
      Anonymous Coward

      I'd probably sak them off, I'm sure a decent contract will allow that, and possibly recover charges if they are irresponsible. Although if they lost the data would they be the ones getting the fines? The thing I like about GDPR is that it makes companies think about data where they probably have not bothered before.

    3. Anonymous Coward
      Anonymous Coward

      You pay the fine and then try to get the money back from the outsourcer(s) - good luck with that.

    4. Alan Brown Silver badge

      "... heavily outsourced IT... slips up ... major GDPR breach and fine..."

      You are the data handler, therefore you get the fine. It is YOUR responsibility to ensure the outsourcer is secure.

      This is not much different than a retailer's obligation on sale of goods, vs recovering costs from the suppliers.

      Further litigation between you and the outsourcer over the issue may or may not come under the regulators' purview, depending on how the data was handled and the contracts setup, but you can be assured that if you didn't do your due diligence in the first place you're going to get doubletapped pretty hard by the regulators up front.

  15. Anonymous Coward
    Anonymous Coward

    Should be more expensive

    Fine not high enough. Besides, no one mentions the fact that BA has outsourced their ops to off shore with the penny pinching mindset so many have, yes it's cheap but it also comes with an army of mostly short skilled people who replaced those they once used to have in house. To their management, it's working well.

    1. Charlie Clark Silver badge

      Re: Should be more expensive

      The fines are designed to be punitive but not crippling, otherwise they'd never become law.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like