back to article British Airways fined £20m for Magecart hack that exposed 400k folks' credit card details to crooks

British Airways is to pay a £20m data protection fine after its 2018 Magecart hack – even though the Information Commissioner’s Office discovered the airline had been saving credit card details in plain text since 2015. The fine, announced this morning by the UK's data watchdog, is almost exactly at the reduced £19.8m level …

  1. wyatt

    I hope that, if their insurance company is approached to cover the fine they give them the finger. To have user credentials saved in files like that is one of the 'unforgivables'.

    1. Mike 137 Silver badge

      one of the 'unforgivables'

      Very common though. It was the prime cause of the massive scale of the Equifax breach of 2017.

  2. macjules

    Reduce the fine or ..

    1) we will start sacking flight crew. Oh wait, we already starting doing that.

    2) we will have to sell one of our islands. Oh wait, we’re not Virgin Ontheridiculous.

  3. Anonymous Coward
    Anonymous Coward

    I'm not aware of any other companies getting their legal fines reduced because of Coronavirus....why should BA be an exception? Especially since the event they're being penalised for happened LONG before Covid-19 struck...

    1. NeilPost

      Shameful

      Absolutely Fucking shameful of the ICO and makes them look ineffectual pussies when it comes to enforcement.

      Take the £20m as a down payment and defer the rest of the fine until BA turn around - say 2025 - and bust their ass then... rather than getting away effectively Scot-free and laughing their socks off. The fine was only delayed as they appealed and appealed against it.

      The ICO chair should resign.

    2. Anonymous Coward
      Anonymous Coward

      Probably something to do with the ICO's legal budget being ~£2m/year, and BA's being substantially higher, thus this being a pragmatic solution - find the upper of end of what BA are willing to pay, or be dragged through the courts with legal challenges until no-one cares. :(

      1. NeilPost

        £20m is fuck all.

        A £100m settlement would have been equitable... £20m now, and the rest paid off in instalments reflective of BA’s recovery/financial performance.... like say the boards remuneration package.

        Nasty airline.

        Watch Marriott pled poverty next.

        1. Oh Matron!

          I'm expecting Alex Cruz to have the same meteoric rise in Govt as Dido Harding, captain of another hack...

          1. NeilPost

            Don’t forget Willie Walsh.

            He’s on the lookout for a new challenge having left IAG in a staff-bloodbath blaze of ignomany that should fit in well with BoJo’s government of fuckwits.

        2. Halfmad

          They should be forced to display a warning on any checkout pages for 5 years stating they have screwed up the past and that consumers should consider carefully before spending with them.

        3. Mike 137 Silver badge

          Unfortunately

          This is the maximum fine the ICO can impose by law. The draft statutory guidance on its regulatory action states that the Higher Maximum Amount (theoretically 4% of global annual turnover or 20M whichever is greater) is capped at 20M in the UK, although the guidance refers to Euros not GB pounds, which is going to be fun from January 1st..

          Rather invalidates the purpose of the alternative.

          1. viscount

            Re: Unfortunately

            That does seems strange: it means the GBP 20m penalty is higher than their permitted maximum of EUR 20m.

          2. EnviableOne

            Re: Unfortunately

            no its not

            the limit is 2% of global turnover of the undertaking (in this case IAG) in the year previous to the offence, or 20 million euros, whichever greater

            the UK legislation translates the 20 million euro to 17 Million pounds

            22,880 million euro in year to dec 2017 so 4% of that makes 915 million euro

            so their initial fine of 189miliion pounds was well short of this, and considerably less than the 700million euro they returned to shareholders in that year, as a special dividend, on top of the standar 600Million euro normal one

          3. NeilPost

            Re: Unfortunately

            I think the £193m levied was reflective of this.

            You are talking British Airways/IAG ... not plucky small players like LoganAir.

            Like I said above, take the £20m as a down payment and defer the rest for a few years and they can pay in instalments tied to company recovery/performance goals.No board ‘performance’ (sic) bonuses until all paid off.

      2. Anonymous Coward
        Anonymous Coward

        Isn't legal / taking organisations to court (or the threat of) their raison d'être? How the heck can they only spend £2M a year on that?

    3. Cynic_999

      Pragmatism. If a company is in such financial difficulty that the fine will massively increase the number of job losses, you have to ask yourself who ends up being punished - and is that a just or fair result? Perhaps instead of reducing the fine, it should be deferred or taken in installments as a percentage of profits every year until paid.

      If the fine is big enough that it is likely to result in the company going bust before it could raise that much money, it's a pointless exercise anyway and the main losers are the innocent employees.

      Maybe better would be to make the fine much smaller but have the directors pay it personally rather than coming from the company account. I suspect that if the directors were to be fined £2 million it would have a far greater effect on their desire to ensure it doesn't happen again than fining the company £20 million.

      1. davenewman

        Well, since we need to drastically reduce the number of flights to save the planet, we need to make a lot of airlines close, starting with the most expensive ones.

      2. NeilPost

        I’m assuming they have slashed boardroom pay by 50%, axed bonuses, slashed the dividend for the foreseeable future until BA is on a sure footing.... before they approached the fire and rehire of a fraction of their employee’s...

        I doubt any customer with a BA Holiday part paid claiming poverty would get the balance waived.

        Indeed a friend of mine as a (now ex-) long standing loyal BA Executive member is spitting about being royally fucked over by BA on bookings/vouchers/refunds.

        1. anothercynic Silver badge

          Interesting... They've converted all their 'you have to call us to spend this' voucher things to e-vouchers you can spend on other flights online, soooo... where's your friend been failed?

        2. 0laf Silver badge

          A huge company like BA? They'll have had a "Legal fines contingency fund" set up for years, this will barely be a footnote in the accounts

      3. Gene Cash Silver badge

        If a company is in such financial difficulty that the fine will massively increase the number of job losses

        Then perhaps they're so ill-managed they should go out of business.

        ESPECIALLY when they say shit like "credit card data breaches are an entirely commonplace phenomenon and an unavoidable fact of life”

        Every last one of them should be selling pencils on the street corner.

      4. Anonymous Coward
        Anonymous Coward

        "...if the directors were to be fined £2 million it would have a far greater effect..."

        HR are would just give them £2M as a shares bonus to compensate.

  4. Anonymous Coward
    Anonymous Coward

    What do you expect. Fairness and justice.

  5. Doctor Syntax Silver badge

    "the airline had been saving credit card details in plain text since 2015."

    Presumably this is going to be subject to a whole lot of other actions from financial regulators and credit card companies.

  6. viscount

    They were saving the CVV too which seems like a basic error. No idea why.

    1. Anonymous Coward
      Anonymous Coward

      which seems like a basic error

      Not to mention being a direct violation of PCI-DSS rules.

  7. circusmole

    Who will finally pay for the £20M fine...

    ...That's right - the customers! It's obvious that they will just load up their prices to recover the £20M, plus a little bit extra for their trouble, and there you go.

    This has always been the case with this fines to the big companies, it's always the customer that pays in the end. There is, presumably, someone responsible for the security of customer data and someone accountable when they do not do their job properly. It is this person that should be held to account and personally fined and/or jailed. Typically this would be a board member.

    Of course this will never happen, but I can dream.

    1. Anonymous Coward
      Anonymous Coward

      Re: Who will finally pay for the £20M fine...

      Not the customers, by the time people start flying again, BA will have gone bankrupt. Unless our Glorious Leadership decides to chop down a few extra trees, print a few billion GBP more, give it away. We're fucked anyway, so let's party while we can!

      1. NeilPost

        Re: Who will finally pay for the £20M fine...

        Ahh in that case IAG will do a dodgy Pre-Pack administration buy-back .... aka “dump the debt, dump the liabilities and fuck the creditors”

    2. Anonymous Coward
      Anonymous Coward

      Re: Who will finally pay for the £20M fine...

      Alternative solution to (expensive) flying: container ships. Punch a few holes, hang some hammocks, bring your own device and food, and voila, you can fit a good few people in them ships. What's a few days' delay, when you're unemployed anyway. Perhaps they need some offshore call centres off India? :)

      1. NeilPost

        Re: Who will finally pay for the £20M fine...

        Don’t forget some miniatures from Tesco and a ready meal from Heron Foods.

    3. Anonymous Coward
      Anonymous Coward

      Re: Who will finally pay for the £20M fine...

      Customers? On airlines? You've seen whats happening globally with air travel right?

      It will be governmanet bailouts and tax payers that pay the fine.

      Or am I being pessimistic and all will return to the golden days of airlines struggling to avoid going bust by 2022?

  8. Anonymous Coward
    Anonymous Coward

    British Airways fined £20m for Magecart hack

    click here to complete a voucher form...

  9. EnviableOne
    Mushroom

    NO TEETH

    The ICO has none, PCI have none, either that or they are refusing to use them.

    This is a major breach of both GDPR and PCI-DSS, and neither regulator took any usefull enforcement action.

    There should be binding conditions on IAG and BA, and they should have restrictions on their payment processing (requiring step-up authorisation)

    They should also be required to be audited by the ICO to identify any othee shoddy practices...

    </rant>

    1. NeilPost

      Re: NO TEETH

      European Court?? ... before we get fucked over with a no-deal at the end of the Transition Period ??

    2. NeilPost

      Re: NO TEETH

      With many things government/law/legislation/regulatory based the problem is generally not enough law or new law required it’s baffling lack of enforcement of the existing legislation.

      1. Alan Brown Silver badge

        Re: NO TEETH

        ...it’s baffling lack of enforcement...

        It's not baffling. The ICO is _deliberately_ crippled by design and every step to increased powers of fining, etc has been blocked by governments of the day _and_ the ICO administrators themselves

        The possibilities are there to hold directors personally responsible for company failings (limited liability only shields SHAREHOLDERS from _financial_ responsibilities) but an utter unwillingness to actually do it

  10. Anonymous Coward
    Anonymous Coward

    ICO - once a chocolate teapot

    Always a chocolate teapot.

    British "justice".

  11. Anonymous Coward
    Anonymous Coward

    Maybe a(n even) more pragmatic solution

    Which wouldn't affect innocent employees or business viability would be to ban the relevant board member from being a director (of any company) for a minimum of 5 years, longer if the circumstances warrant it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like