British Airways is facing a proposed $230 million fine under the EU’s General Data Protection Regulation (GDPR) for a hack last summer compromised personal information on approximately 500,000 customers accessing its website.
The UK Information Commissioner’s Office said that weak security allowed user traffic to be diverted from the British Airways website to a fraudulent page starting in June 2018. The regulator said the company will have a chance to contest the proposed fine.
Attackers were able to harvest customer details including log ins, payment cards, and travel booking details, according to the regulator. The airline disclosed the incident in September 2018.
This proposed fine is more than 3 times the total fines meted out during GDPR’s first year. In the year after GDPR’s passage there were 200,000 investigations, 64,000 of which found fault, resulting in total fines of approximately $70 million — nearly 90% of which was from a single case against Google.
In Austria there were three fines issued in the first year, ranging from 300 euros to 4800 euros apiece. Ireland reportedly has blocked enforcement actions under GDPR in the cases of many international tech companies.
The British Airways hack was self-disclosed and there are no known instances of “fraud [or] fraudulent activity on accounts linked to the theft.”
And yet the disproportionate nature of this fine – imposed by UK’s regulator – isn’t the primary injustice here. Does something strike you as off when you read the UK Information Minister’s statement? She wrote, “People’s personal data is just that — personal. When an organization fails to protect it from loss, damage or theft it is more than an inconvenience.”
And yet the money goes to the state and not to the people who have actually suffering “more than an inconvenience.” The government wants to fine British Airways $460 per person for the data breach but not give that money to the people whose data was stolen. If they own their own data, shouldn’t they be the ones compensated?
This thought exercise points to something else fundamental about data breaches. The information was accessed and copied but not stolen per se. Everyone whose data was involved in the hack still has their own data. There is something fundamentally different between intellectual property and data on the one hand from physical or real property on the other.
British Airways has collected information about you, they’ve stored it. Most personal information isn’t very valuable. At least, personal information alone doesn’t matter. Names, addresses and phone numbers were published in phone books and eventually digitized. Getting a copy of the phone book wasn’t very helpful to businesses.
Add in email addresses and things change a little bit. It’s cheaper to email someone than to call them or send something by mail. But a single email address still doesn’t have very much value. Even one million email addresses aren’t very valuable, because response rates to spam are so low.
Knowing that a person flies for business every week and that their most frequent destinations are New York, Chicago, and Los Angeles is valuable. Knowing which hotel they stay at because of its proximity to another location and that they usually drive when they’re there is valuable. Knowing when they break their pattern is valuable, too.
It’s behaviorial data that’s actually valuable, information about you fed into predictive tools which are the proprietary technology of a company