Anyone who doubted European Union regulators wouldn’t take the opportunity to whack companies for data breaches under the new General Data Protection Regulation (GDPR) has been shaken awake with news that the U.K.’s information commissioner has proposed fining British Airways the equivalent of $300 million CAD for a 2018 incident.
The news came today after the Information Commissioner’s Office (ICO) told the London Stock Exchange and the airline of the proposed record fine for violating the GDPR, which came into effect in May 2018. The airline will have an opportunity to reply to the commissioner before any penalty is finalized.
The fine would represent about 1.5 per cent of British Airways’ annual revenue. Under the GDPR a regulator could fine a company up to four per cent of its global revenue.
In one of the highest penalties issued in the short life of the GDRP, France’s regulator fined Google the equivalent of $73 million CAD in January for failing to meet transparency and information requirements to get consent of users.
The GDPR applies to all 27 countries in the European Union. Under its rules, the U.K. ICO is acting as the lead supervisory authority for this investigation on behalf of all the other countries. Similarly, the French regulator was acting for all EU regulators in the Google case.
What the ICO’s notice doesn’t detail is the circumstances of the breach and how it calculated the fine. That will come with the final decision.
In its statement, the ICO said the breach happened when an attacker harvested personal data of 500,000 people by diverting traffic from the British Airways website to a fraudulent site in an attack that started around June 2018. One news report suggested the breach lasted 15 days before being detected in September of that year. Among the stolen data were users names, addresses, logins, payment card, and travel booking details.
It briefly blamed the breach on “poor security arrangements.”
The ICO did say the airline has been cooperating with its investigation and that it has improved its security. News services have quoted British Airways saying it’s surprised and disappointed with the proposed penalty.
“When an organization fails to protect it from loss, damage, or theft, it is more than an inconvenience,” said information commissioner Elizabeth Denham. “That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
Privacy lawyer Kris Kline with the Ottawa-based consultancy nNovation, who is also managing director of the Canadian wing of the International Association of Privacy Professionals, noted British Air has yet to make representations to the ICO, so the end result might be different. “Nevertheless,” he added, “it does indicate that an organization cannot simply play the victim card when it experiences a breach. It has to prove that the safeguards it had in place were appropriate and reasonable considering the sensitive nature of the personal information it was collecting. I’m quite sure that organizations over here are going to pay attention to this development and are grateful that our laws don’t punish in this way. At least not yet.”
Security vendor RiskIQ suspects the attack was committed by a group called Magecart, which specializes in hacking websites and installing data skimming scripts. In the case of British Airways, it believes the group used a customized script.
Security companies were quick to issue news releases on the issue.
“This is a gloomy reminder that web and mobile application security is essentially important, and if negligently disregarded – may cost hundreds of millions,” said Ilia Kolochenko, chief executive officer of web security company ImmuniWeb. “Prompt reaction, investigation, and rapid notice won’t be good enough to avoid formidable fines. Prevention is much better than cure from financial, reputational, and operations standpoints.”
“The size of this [proposed] fine certainly sends a clear message for GDPR enforcement: protect your customers’ data or pay. If anyone was unclear on how GDPR would be enforced, this fine should deliver clarity,” said Tim Erlin, vice-president of product management and strategy at Tripwire. “Regulations like GDPR can be used to raise the bar on information security across whole industries, but we are fundamentally talking about criminal activity here, and these regulations also walk a fine line between improving security and blaming the victim. In order for GDPR to remain effective, the supervisory authorities have to levy fines appropriately, and specifically in cases where clear negligence was present. It’s fair to expect organizations to safeguard sensitive data, but even an organization delivering above average protection can fall victim to a sophisticated attacker. Very simply, cybersecurity isn’t a solved problem.”
Alex Calic, strategic technology partnerships officer for The Media Trust called the proposed fine “unprecedented, if unexpectedly, stiff … The message is clear. If you collect consumer data, you’d better make sure it’s safe and know who has access to it. Moreover, reporting a breach and cooperating with regulators after the fact won’t guarantee immunity from the penalties.”
“The problem is most third parties are strangers to site and mobile app owners, yet they often have access to user data and operate outside the site or app owner’s IT perimeter. Companies under GDPR and other data privacy laws on the horizon should retake control of their digital ecosystems. This means closely monitoring their digital assets for any unauthorized parties and activities, as well as working with third parties on enforcing digital policies and rooting out those who break them.”