back to article UK privacy watchdog threatens British Airways with 747-sized fine for massive personal data blurt

The UK Information Commissioner's Office has warned British Airways it faces a whopping £183.39m fine following the theft of customer records from its website and mobile app servers. The record-breaking fine - more or less the lower end of the price of one of the 747-400s in BA's fleet - under European General Data Protection …

Page:

      1. Alan Brown Silver badge

        Re: Should be more expensive

        On the other hand, if BA do it again, the fine will be larger and negotiation won't be much of an option.

        Most regulators work on the basis that the first bite is low value, but if they ever have to show up on your doorstep again then they're going to go over every inch of your business with a fine tooth comb and they won't be forgiving about what they find.

  1. SGJ

    £183 million sounds a lot...

    ... but it works out at only £366 per card (or the price of a couple of aircraft?)

  2. Anonymous Coward
    Anonymous Coward

    more or less the lower end of the price of one of the 747-400s

    Not been made for a while, a good 14 years for the passenger version. A bit more up to date journalism gives the 787-8 list price (big airlines never pay this) as $248.3M (£198.64M), makes good copy but sadly way off the mark.

    Anyhow anyone giving BA a good kicking always deserves a cigar in my book, luggage losing overbooking rude bastards.

  3. Joe Gurman

    Isn't it time....

    .... to start comparing fines to actual (not list) prices of A380s, which have pretty much become as past-tense in terms of production as the passenger versions of the 747?

  4. Greg D

    Unpopular Opinion

    This may not be popular here, but haven't we got cyber security backwards?

    Why are we fining the organisation holding data for the fact someone stole that data? The following analogy may be over-simlipfied, however, if you report your car stolen, the police tend to try and find out who stole it, and go after them for punishment. They dont turn around and fine the victim of the theft, saying that they should have better protected the vehicle.

    I know this gets a bit murky with it being other people's personal data, however hear me out... if the data was stolen from adequately protected systems, why is it the data holder (victim in this case) fault that data was stolen? They didnt steal it. They certainly didnt want it stolen.

    They obviously have some level of basic security deterrents in place, all companies do. But in IT security, they are exactly that - deterrents. They will not stop anyone who REALLY wants to get in from getting in. That's a data security pipe dream.

    Why are we not puttiing effort into identifying and punishing the perpetrators of the hack instead of the victims?

    Not to be sticking up for BA specifically here, but this has been on my mind since they came up with this whole fine companies for data breaches thing. I assumed it was meant to catch stupid fuck ups, like leaving sensitive USB sticks lying around, or laptops unlocked etc. Just seems a little backwards and gives hackers more freedoms than anything.

    1. DavCrav

      Re: Unpopular Opinion

      "The following analogy may be over-simlipfied, however, if you report your car stolen, the police tend to try and find out who stole it, and go after them for punishment. They dont turn around and fine the victim of the theft, saying that they should have better protected the vehicle."

      They didn't own the data, it was someone else's. If the 'we hold your possessions securely' storage company actually just lets anyone in and lets them take anything they want, they will be done as well.

      "They obviously have some level of basic security deterrents in place, all companies do. "

      Apparently, although I am not an expert in this, their safeguards were well below best practice, hence the fine.

    2. MrSeaneyC

      Re: Unpopular Opinion

      You would have a point, if the data was stolen from adequately protected systems. As it was, this is not the case. IMHO running unchecked 3rd party code on your payment pages is completely negligent. Personally I think the fine should be much bigger than this given BA’s unbelievably arrogant stance (“The details weren’t used for fraudulent transactions” - Err, yes they were, plenty of people who only used their card on BA having it cloned within the affected period) and the fact it will obviously be batted down through the process.

    3. Sandtitz Silver badge

      Re: Unpopular Opinion

      "if you report your car stolen, the police tend to try and find out who stole it, and go after them for punishment. They dont turn around and fine the victim of the theft,"

      The victim owned the car and was responsible to the owner - himself. You can't sue yourself. (not sure about USA...)

      "saying that they should have better protected the vehicle."

      Oh, most plods, will state the obvious that to the victim...

      "They obviously have some level of basic security deterrents in place, all companies do. But in IT security, they are exactly that - deterrents. They will not stop anyone who REALLY wants to get in from getting in. That's a data security pipe dream."

      So... since nothing can be secured 100%, why bother at all with security?

      The question here is whether there were reasonably good safeguards against data theft. The nature of theft has not been discussed but hopefully an inquiry into this will enlighten us whether BA had the equivalent of Fort Knox for customer information storage; if all data was stored in an unpatched XP in the cupboard, or something inbetween.

      If the safeguards were adequate, encryption everywhere, hashed passwords, everything PCI DSS compliant etc, the fines may be lowered or canceled. They haven't been fine yet.

      "Why are we not puttiing effort into identifying and punishing the perpetrators of the hack instead of the victims?"

      Who says that no effort has been done to identify the perps? The problem with many digital heists is the lack of evidence if the perps have known how to hide their traces.

      1. Frau Blücher

        Re: Unpopular Opinion

        To continue the car example, there are two elements involved. One is liability in criminal law - that is only the responsibility of the car thief. The other would be civil liability. Again, that is the car thief's responsiiblity, but of course we know most thieves never pay for the cars they steal.

        Therefore of course, we usually insure our cars against theft. The insurer will pay the value for the stolen car or its damages, but only if the insured hasn't been negligent or sloppy. If you leave it unlocked with the keys in then you won't get covered. But leaving it in a dark alley in a dodgy part of town is usually not grounds to refuse payment (I think - depends on the policy I suppose - foreign travel to some countries is excluded).

        Taking this together, I agree with the original poster - this is like the police fining the car owner (or say the friend of the owner who was using the car) - I guess the question is, has the friend done the DP equivalent of leaving the keys in the ignition, or just parked it somewhere dodgy? I guess in the former case a fine is legitimate, BUT it still is (to me) a very blunt tool to set a liability.

        In theory there is already negligence law which could allow an individual person to sue a data holder for negligently letting it leak out. But the victim would have to show some kind of loss. The scale of these fines suggests this link is absent (360 quid per person involved) - weird to set it by reference to the global revenue. Maybe one victim lost nothing, and another had 1,000s of pounds run up on their card. Each person should get their respective sum lost.

  5. amanfromMars 1 Silver badge

    The Nitty Gritty on the Insane Virtualised Cost of Doing New Business with 0 0Day Protection Cover

    Is any realistic valid insurance cover available to all parties such as a British Airways to ensure information and intelligence breaches are not possible and preventable?

    Failing that facility being ready for immediate secure supply, are not breaches and leaks not normal courses of action and fully to be expected rather than bizarrely penalised with fantastic fiat fines?

    So who fronts and dons the Dick Turpin mask for such daylight highway robbery?

    1. cynic56
      Joke

      Re: The Nitty Gritty - title too long for The Register etc.

      You are a bad person! My brother almost lost his job for (innocently) using the phrase N*tty Gr*tty (see, I can't even bear to type the words because they are so racist )- honestly!

      1. Intractable Potsherd

        Re: The Nitty Gritty - title too long for The Register etc.

        I hadn't heard this gem before, so I've just done some research. There is absolutely no - repeat no - evidence that the term "nitty-gritty" is racist. This ridiculous farce needs to be killed as soon as possible.

  6. Phil Kingston

    180 million...

    .... would have bought a lot of pen testing.

    Heck, 18m would have probably done it.

  7. Frau Blücher

    Watching the GDPR actually get used makes me uncomfortable. Besides the mental and ongoing costs of compliance, the actual enforcement seems to be an affront to basic principles of justice. BA's argument is a fair one, what is the harm done here - how does that link to the penalty awarded? That is a starting for damages awarded in normal civil claims in the common law world. And why does the regulator get to set the penalty? They act as rule maker (via guidance docs issued), prosecutor, and jury. Fine - this gets appealed to the proper courts, but usually this kind of right is granted only to police in fairly low level offences (e.g. speeding tickets). The scale of penalties creates vast power in a single regulator. And finally, it is essentially victim blaming - in most UK cases the data controller has been hacked, which is in fact a crime against them - imagine applying this logic to victims of sexual violence...

    The answer to all of this is that this a European invention and this is how things go in civil law countries. Ok fine, but it doesn't sit well with the common law tradition. And as usual it seems to me the UK regulator enforces the "rights" rigorously and hands out swingeing fines, even against local UK companies (when the fines were in reality calibrated to hit FB, Google etc.) - whereas various contintenal counterparts get away with fairly limited fines, if they get fined at all.,

  8. spold Silver badge

    747 payment settlement

    Looking forward to seeing the new 747 in "ICO Enforcement" livery

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like