British Airways £183m cyber breach fine - Did it get off lightly?


More than one year on from the General Data Protection Regulation, which came into force on 25th May 2018, the news that British Airways is to be fined more than £183m by the Information Commissioner’s Office after hackers stole the personal data of half a million of the airline’s customers will come as no surprise, says insurance, risk management and data privacy expert Darren Wray.

The ICO said that the incident involved customer details including login, payment card, name, address and travel booking information being harvested after being diverted to a fraudulent website.

Cyber resiliency consultancy Fifth Step’s CEO Wray says, however, that even at this early stage of the investigation it could be that BA's parent company got off lightly. Under GDPR, the fine amounts to about 1.5% of British Airways’ £11.6bn worldwide turnover last year, however the E.U. regulation could have been as high 4% of revenues, which could have added another £300m to the bill.

British Airways' protests that it responded quickly to a criminal act to steal customers’ data and collaborated with the regulator will not cut much ice with the ICO, which will argue that the airline should have had protections in place, starting with basic encryption as a minimum requirement. Furthermore, this is not BA’s first rodeo, says Wray. The airline was felled for three days in 2017 following a previous breach.

206,326 cases of cyber breaches were reported throughout the EU in 2018. Of these 52% are now closed, with 47% on-going and 1% are to be appealed. Many firms ran GDPR as a project but some of those are yet to transition it to business processes.

Not all firms need a Data Protection Officer. It is however increasingly evident that the market doesn’t have the natural skills or the bandwidth, says Wray who concludes that future similar incidents have the potential to be even more damaging when data protection regulation in the U.S comes into force on 1st January next year. This could see organisations being fined or sued in multiple jurisdictions for the same breach.

California is the first U.S. state to pass an act that requires companies and employers to comply with data privacy and protection requirements under the CCPA privacy regulation.

Washington State, New York State and others are set to follow. This is only the end of the beginning for global data privacy regulation says Wray and a few years down the line the business will look back fondly on the days when fines totalled in the low hundreds of millions and didn’t include nearly as much time in court or lawyer’s fees.

If you would like to talk to Darren Wray, CEO of Fifth Step about the issues rasied in this article, CLICK HERE, leave a message and youTalk-insurance will pass your enquiry on.