British Airways is facing a proposed $230 million fine under the EU’s General Data Protection Regulation (GDPR) for a hack last summer compromised personal information on approximately 500,000 customers accessing its website.
The UK Information Commissioner’s Office said that weak security allowed user traffic to be diverted from the British Airways website to a fraudulent page starting in June 2018. The regulator said the company will have a chance to contest the proposed fine.
Attackers were able to harvest customer details including log ins, payment cards, and travel booking details, according to the regulator. The airline disclosed the incident in September 2018.
This proposed fine is more than 3 times the total fines meted out during GDPR’s first year. In the year after GDPR’s passage there were 200,000 investigations, 64,000 of which found fault, resulting in total fines of approximately $70 million — nearly 90% of which was from a single case against Google.
In Austria there were three fines issued in the first year, ranging from 300 euros to 4800 euros apiece. Ireland reportedly has blocked enforcement actions under GDPR in the cases of many international tech companies.
The British Airways hack was self-disclosed and there are no known instances of “fraud [or] fraudulent activity on accounts linked to the theft.”
And yet the disproportionate nature of this fine – imposed by UK’s regulator – isn’t the primary injustice here. Does something strike you as off when you read the UK Information Minister’s statement? She wrote, “People’s personal data is just that — personal. When an organization fails to protect it from loss, damage or theft it is more than an inconvenience.”
And yet the money goes to the state and not to the people who have actually suffering “more than an inconvenience.” The government wants to fine British Airways $460 per person for the data breach but not give that money to the people whose data was stolen. If they own their own data, shouldn’t they be the ones compensated?
This thought exercise points to something else fundamental about data breaches. The information was accessed and copied but not stolen per se. Everyone whose data was involved in the hack still has their own data. There is something fundamentally different between intellectual property and data on the one hand from physical or real property on the other.
British Airways has collected information about you, they’ve stored it. Most personal information isn’t very valuable. At least, personal information alone doesn’t matter. Names, addresses and phone numbers were published in phone books and eventually digitized. Getting a copy of the phone book wasn’t very helpful to businesses.
Add in email addresses and things change a little bit. It’s cheaper to email someone than to call them or send something by mail. But a single email address still doesn’t have very much value. Even one million email addresses aren’t very valuable, because response rates to spam are so low.
Knowing that a person flies for business every week and that their most frequent destinations are New York, Chicago, and Los Angeles is valuable. Knowing which hotel they stay at because of its proximity to another location and that they usually drive when they’re there is valuable. Knowing when they break their pattern is valuable, too.
It’s behaviorial data that’s actually valuable, information about you fed into predictive tools which are the proprietary technology of a company
The ostensible purpose of fines is to discourage anti-social behavior. The actual purpose is to raise money for the organization that has the franchise on fines (the government).
The best way to see this is traffic and parking enforcement. The ostensible reason for speed limits is to prevent crashes, which are most likely to happen when someone is speeding on a narrow, curved road on a rainy day. Is that where the cops set up shop, to protect people? No, they set up shop on a wide downward-sloping road on a sunny day, where the speed limit changes from 65 to 55 for a short stretch, when people are most likely to quite safely drive 65 instead of 55. Because that’s where the money is.
The ostensible purpose of road-side parking restrictions is traffic flow. So do the meter maids drive down 5th Avenue at rush hour and move anyone blocking a lane of traffic and slowing down thousands of others? No. Because that’s only going to net one parking ticket an hour at best. They descend on side streets at 8:01 am where they can fine dozens of cars in the same time, then move onto other streets that allow parking until 9:01 am and etc.
BA presumably also has saved credit card info stored.
Was any of that stolen? Because that certainly would be valuable.
Yes, a terrible injustice.
Almost as if one were to use their airline miles to purchase an “award” ticket only to find out that the cash outlay was more or less the same as a regular purchased ticket.
How can this be allowed?
And this comes on the heels of a two-day BA system breakdown this weekend that it is still recovering from (the website option for book with cash, upgrade with avios is still broken at the stopover page – I seem to recall that from a few years ago, too). Curiously, I only saw a report of it on the a UK tabloid website. None of the usual travel bloggers covered it that I saw.
Life lock is the biggest fraud , by the way. Why companies like United or American partner with them is beyond me.
BA is lying when it says there were no known instances of fraud. I had two cards that were compromised during the period on BA.com subsequently used by fraudsters. Perhaps they got the card information from another site, but it is unlikely. I do think BA deserved to be fined, as they gave $0 in compensation for the time lost and inconvenience of cancelling my cards. I did not lose any money personally, but my banks most likely did. I do agree that the regulator should split the award with the people negatively impacted by the situation.
The fine does not preclude anyone from taking action against BA on their own, and this really isn’t the job of regulators. People have taken Equifax to small claims court and won several thousand dollars. You could potentially do the same anywhere BA flies.
It would definitely be nice to see this money go the victims, though.
All the fines do is help the government with their Budget Gaps. These fines should be used to REIMBURSE those who lose money due to financial fraud.
BA were _so_ incompetent that not only were customer’s personal details hacked, but also the credit card details _and_ CVV numbers!
That is one reason the proposed fine is so large – another is that the hack (said to be using insecure third-party code used in the payments processing code) went on for _months_ without being spotted.
Thirdly, the law changed last year and the maximum fine went up from a piddling £500,000 – not before time.
There are at least two class-action cases in progress, so there should be some restitution for those affected, but the fine should concentrate the minds of C-level executives on protecting customer data – the ‘cost of doing business’ has now increased…