I hope that, if their insurance company is approached to cover the fine they give them the finger. To have user credentials saved in files like that is one of the 'unforgivables'.
British Airways fined £20m for Magecart hack that exposed 400k folks' credit card details to crooks
British Airways is to pay a £20m data protection fine after its 2018 Magecart hack – even though the Information Commissioner’s Office discovered the airline had been saving credit card details in plain text since 2015. The fine, announced this morning by the UK's data watchdog, is almost exactly at the reduced £19.8m level …
COMMENTS
-
-
Friday 16th October 2020 13:31 GMT NeilPost
Shameful
Absolutely Fucking shameful of the ICO and makes them look ineffectual pussies when it comes to enforcement.
Take the £20m as a down payment and defer the rest of the fine until BA turn around - say 2025 - and bust their ass then... rather than getting away effectively Scot-free and laughing their socks off. The fine was only delayed as they appealed and appealed against it.
The ICO chair should resign.
-
-
-
-
Friday 16th October 2020 14:29 GMT Mike 137
Unfortunately
This is the maximum fine the ICO can impose by law. The draft statutory guidance on its regulatory action states that the Higher Maximum Amount (theoretically 4% of global annual turnover or 20M whichever is greater) is capped at 20M in the UK, although the guidance refers to Euros not GB pounds, which is going to be fun from January 1st..
Rather invalidates the purpose of the alternative.
-
Friday 16th October 2020 15:24 GMT EnviableOne
Re: Unfortunately
no its not
the limit is 2% of global turnover of the undertaking (in this case IAG) in the year previous to the offence, or 20 million euros, whichever greater
the UK legislation translates the 20 million euro to 17 Million pounds
22,880 million euro in year to dec 2017 so 4% of that makes 915 million euro
so their initial fine of 189miliion pounds was well short of this, and considerably less than the 700million euro they returned to shareholders in that year, as a special dividend, on top of the standar 600Million euro normal one
-
Friday 16th October 2020 15:27 GMT NeilPost
Re: Unfortunately
I think the £193m levied was reflective of this.
You are talking British Airways/IAG ... not plucky small players like LoganAir.
Like I said above, take the £20m as a down payment and defer the rest for a few years and they can pay in instalments tied to company recovery/performance goals.No board ‘performance’ (sic) bonuses until all paid off.
-
-
Friday 16th October 2020 15:59 GMT Cynic_999
Pragmatism. If a company is in such financial difficulty that the fine will massively increase the number of job losses, you have to ask yourself who ends up being punished - and is that a just or fair result? Perhaps instead of reducing the fine, it should be deferred or taken in installments as a percentage of profits every year until paid.
If the fine is big enough that it is likely to result in the company going bust before it could raise that much money, it's a pointless exercise anyway and the main losers are the innocent employees.
Maybe better would be to make the fine much smaller but have the directors pay it personally rather than coming from the company account. I suspect that if the directors were to be fined £2 million it would have a far greater effect on their desire to ensure it doesn't happen again than fining the company £20 million.
-
Friday 16th October 2020 16:35 GMT NeilPost
I’m assuming they have slashed boardroom pay by 50%, axed bonuses, slashed the dividend for the foreseeable future until BA is on a sure footing.... before they approached the fire and rehire of a fraction of their employee’s...
I doubt any customer with a BA Holiday part paid claiming poverty would get the balance waived.
Indeed a friend of mine as a (now ex-) long standing loyal BA Executive member is spitting about being royally fucked over by BA on bookings/vouchers/refunds.
-
Saturday 17th October 2020 01:38 GMT Gene Cash
If a company is in such financial difficulty that the fine will massively increase the number of job losses
Then perhaps they're so ill-managed they should go out of business.
ESPECIALLY when they say shit like "credit card data breaches are an entirely commonplace phenomenon and an unavoidable fact of life”
Every last one of them should be selling pencils on the street corner.
-
-
Friday 16th October 2020 14:41 GMT circusmole
Who will finally pay for the £20M fine...
...That's right - the customers! It's obvious that they will just load up their prices to recover the £20M, plus a little bit extra for their trouble, and there you go.
This has always been the case with this fines to the big companies, it's always the customer that pays in the end. There is, presumably, someone responsible for the security of customer data and someone accountable when they do not do their job properly. It is this person that should be held to account and personally fined and/or jailed. Typically this would be a board member.
Of course this will never happen, but I can dream.
-
Friday 16th October 2020 14:59 GMT Anonymous Coward
Re: Who will finally pay for the £20M fine...
Not the customers, by the time people start flying again, BA will have gone bankrupt. Unless our Glorious Leadership decides to chop down a few extra trees, print a few billion GBP more, give it away. We're fucked anyway, so let's party while we can!
-
Friday 16th October 2020 15:03 GMT Anonymous Coward
Re: Who will finally pay for the £20M fine...
Alternative solution to (expensive) flying: container ships. Punch a few holes, hang some hammocks, bring your own device and food, and voila, you can fit a good few people in them ships. What's a few days' delay, when you're unemployed anyway. Perhaps they need some offshore call centres off India? :)
-
Sunday 18th October 2020 19:45 GMT Anonymous Coward
Re: Who will finally pay for the £20M fine...
Customers? On airlines? You've seen whats happening globally with air travel right?
It will be governmanet bailouts and tax payers that pay the fine.
Or am I being pessimistic and all will return to the golden days of airlines struggling to avoid going bust by 2022?
-
-
Friday 16th October 2020 15:06 GMT EnviableOne
NO TEETH
The ICO has none, PCI have none, either that or they are refusing to use them.
This is a major breach of both GDPR and PCI-DSS, and neither regulator took any usefull enforcement action.
There should be binding conditions on IAG and BA, and they should have restrictions on their payment processing (requiring step-up authorisation)
They should also be required to be audited by the ICO to identify any othee shoddy practices...
</rant>
-
-
Monday 19th October 2020 20:29 GMT Alan Brown
Re: NO TEETH
...it’s baffling lack of enforcement...
It's not baffling. The ICO is _deliberately_ crippled by design and every step to increased powers of fining, etc has been blocked by governments of the day _and_ the ICO administrators themselves
The possibilities are there to hold directors personally responsible for company failings (limited liability only shields SHAREHOLDERS from _financial_ responsibilities) but an utter unwillingness to actually do it
-