British Airways fined £20m for Magecart hack that exposed 400k folks' credit card details to crooks British Airways is to pay a £20m data protection fine after its 2018 Magecart hack – even though the Information Commissioner’s Office discovered the airline had been saving credit card details in plain text since 2015. The fine, announced this morning by the UK's data watchdog, is almost exactly at the reduced £19.8m level …
Absolutely Fucking shameful of the ICO and makes them look ineffectual pussies when it comes to enforcement.
Take the £20m as a down payment and defer the rest of the fine until BA turn around - say 2025 - and bust their ass then... rather than getting away effectively Scot-free and laughing their socks off. The fine was only delayed as they appealed and appealed against it.
The ICO chair should resign.
This is the maximum fine the ICO can impose by law. The draft statutory guidance on its regulatory action states that the Higher Maximum Amount (theoretically 4% of global annual turnover or 20M whichever is greater) is capped at 20M in the UK, although the guidance refers to Euros not GB pounds, which is going to be fun from January 1st..
Rather invalidates the purpose of the alternative.
no its not
the limit is 2% of global turnover of the undertaking (in this case IAG) in the year previous to the offence, or 20 million euros, whichever greater
the UK legislation translates the 20 million euro to 17 Million pounds
22,880 million euro in year to dec 2017 so 4% of that makes 915 million euro
so their initial fine of 189miliion pounds was well short of this, and considerably less than the 700million euro they returned to shareholders in that year, as a special dividend, on top of the standar 600Million euro normal one
I think the £193m levied was reflective of this.
You are talking British Airways/IAG ... not plucky small players like LoganAir.
Like I said above, take the £20m as a down payment and defer the rest for a few years and they can pay in instalments tied to company recovery/performance goals.No board ‘performance’ (sic) bonuses until all paid off.
Pragmatism. If a company is in such financial difficulty that the fine will massively increase the number of job losses, you have to ask yourself who ends up being punished - and is that a just or fair result? Perhaps instead of reducing the fine, it should be deferred or taken in installments as a percentage of profits every year until paid.
If the fine is big enough that it is likely to result in the company going bust before it could raise that much money, it's a pointless exercise anyway and the main losers are the innocent employees.
Maybe better would be to make the fine much smaller but have the directors pay it personally rather than coming from the company account. I suspect that if the directors were to be fined £2 million it would have a far greater effect on their desire to ensure it doesn't happen again than fining the company £20 million.
I’m assuming they have slashed boardroom pay by 50%, axed bonuses, slashed the dividend for the foreseeable future until BA is on a sure footing.... before they approached the fire and rehire of a fraction of their employee’s...
I doubt any customer with a BA Holiday part paid claiming poverty would get the balance waived.
Indeed a friend of mine as a (now ex-) long standing loyal BA Executive member is spitting about being royally fucked over by BA on bookings/vouchers/refunds.
If a company is in such financial difficulty that the fine will massively increase the number of job losses
Then perhaps they're so ill-managed they should go out of business.
ESPECIALLY when they say shit like "credit card data breaches are an entirely commonplace phenomenon and an unavoidable fact of life”
Every last one of them should be selling pencils on the street corner.
...That's right - the customers! It's obvious that they will just load up their prices to recover the £20M, plus a little bit extra for their trouble, and there you go.
This has always been the case with this fines to the big companies, it's always the customer that pays in the end. There is, presumably, someone responsible for the security of customer data and someone accountable when they do not do their job properly. It is this person that should be held to account and personally fined and/or jailed. Typically this would be a board member.
Of course this will never happen, but I can dream.
Not the customers, by the time people start flying again, BA will have gone bankrupt. Unless our Glorious Leadership decides to chop down a few extra trees, print a few billion GBP more, give it away. We're fucked anyway, so let's party while we can!
Alternative solution to (expensive) flying: container ships. Punch a few holes, hang some hammocks, bring your own device and food, and voila, you can fit a good few people in them ships. What's a few days' delay, when you're unemployed anyway. Perhaps they need some offshore call centres off India? :)
Customers? On airlines? You've seen whats happening globally with air travel right?
It will be governmanet bailouts and tax payers that pay the fine.
Or am I being pessimistic and all will return to the golden days of airlines struggling to avoid going bust by 2022?
The ICO has none, PCI have none, either that or they are refusing to use them.
This is a major breach of both GDPR and PCI-DSS, and neither regulator took any usefull enforcement action.
There should be binding conditions on IAG and BA, and they should have restrictions on their payment processing (requiring step-up authorisation)
They should also be required to be audited by the ICO to identify any othee shoddy practices...
</rant>
...it’s baffling lack of enforcement...
It's not baffling. The ICO is _deliberately_ crippled by design and every step to increased powers of fining, etc has been blocked by governments of the day _and_ the ICO administrators themselves
The possibilities are there to hold directors personally responsible for company failings (limited liability only shields SHAREHOLDERS from _financial_ responsibilities) but an utter unwillingness to actually do it
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
