July 15, 2019
British Airways faces record $329m fine for data breach: What lessons can you learn from their mistake?
You may have heard that British Airways is facing a record AU$329 million fine for failing to adequately protect consumer data. These are the first fines to be publicly announced under the new General Data Protection Regulation (GDPR) guidelines.
The British Airways data breach: How did it happen?
During a three-week period between August and September 2018, a group of hackers diverted traffic from the British Airways website and mobile app to a fraudulent site, affecting around 500,000 people. The group, named Magecart, harvested a collection of user data, including names, email addresses and complete credit card information.
In response, the UK-based Information Commissioner’s Office (ICO) issued British Airways with a $340 million fine. As this article points out, that’s about the cost of one of the company’s Boeing 747 jets.
It should come as no surprise that the ICO has a firm stance on data protection:
‘“People’s personal data is just that – personal,” said Information Commissioner Elizabeth Denham in a statement. “When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience.
‘That’s why the law is clear – when you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”’
GDPR: The world is watching
Designed to give EU citizens more authority over their personal data, GDPR is the centrepiece of the EU’s digital privacy legislation. Entities handling such data are expected to put into place the ‘appropriate technical and organisational measures’ to ensure the protection of people’s data.
The effects of the GDPR extend far beyond the border of the EU. Foreign businesses wanting to operate on European soil are also expected to comply with these rules. Regulators, at least in this instance, understand the risks associated with personal data and are taking a hardline approach as a result.
Failing to comply could cost you – big time
Operators found to be in violation of these regulations could incur fines of up to $32.5 million or up to 4% of annual turnover from the previous financial year – whichever is more substantial. So, while the fine given to British Airways was significant (at 1.5%), it was still far from the GDPR maximum of 4%.
GDPR laws are designed to be proportional. Businesses that handle millions of people’s data have the most to lose, but they can also afford to be hit the hardest. For both small and large enterprises, receiving an unexpected maximum fine could spell a death sentence.
In the days since the ICO announcement, the ICO also announced fines against global hotel chain Marriott. These fines, totalling AU$178 million, were also based on the new GDPR guidelines.
What these fines suggest is a clear clampdown by regulators in a bid to curtail negligent or ineffectual cybersecurity protection.
Generally, data protection has remained a secondary priority for businesses because of the additional costs of implementing an airtight cybersecurity framework. And for the most part, these companies have remained relatively free of scrutiny in this regard. Businesses have skirted the fine line between improving security measures and placing the blame on the victim.
The introduction of GDPR is a reaction to a simple understanding: Data is what fuels the digital economy and has become integral to how modern society operates – to the point where additional intervention from other governing bodies is inevitable.
There’s also a growing public sentiment that individuals should have greater control over their own data. As a result, legislation related to data protection and cybersecurity is bound to increase.
Timing is everything. Just ask Facebook
Prior to both of these incidents was the Facebook–Cambridge Analytica scandal, which saw the ICO hand Facebook a AU$90 million fine for a data breach in 2018. For a global tech company, which made a profit of AU$6.88 billion in the fourth quarter of 2018, this was barely a dent.
Had Facebook been tried under new GDPR rules, the ICO claims the fine would ‘inevitably have been significantly higher’.
Are businesses really prepared to invest in cybersecurity?
According to TD Ameritrade’s annual survey of registered investment advisers, or RIAs (who lead companies managing assets of high-net-worth individuals), 2019 is set to be the year of cybersecurity spending. As seen in the chart below, 59% of RIAs are considering investing in cybersecurity to help drive growth in 2019. This compares to just 11% in 2018.
While it’s difficult to determine the veracity of these statistics, given the growing awareness about the importance of cybersecurity, and the subsequent regulatory clampdown, these findings make sense.
The verdict: Protect your user data or pay the price
Record-breaking fines send a clear message to organisations: Protect your user data or pay up. But we must be mindful of the message sent, so as not to discourage others from further investment in cybersecurity.
Regulators must be wary not to punish all parties with the same degree of harshness. They must consider whether the organisation in question acted with negligence, as even businesses that enforce the appropriate security measures can fall victim to a data breach.
It’s possible the majority of businesses are already taking cybersecurity seriously. For any company that isn’t, be careful not to end up like British Airways.
Not sure where to start when it comes to cybersecurity risk management or GDPR compliance? 6clicks can help. Go here to learn more.
6clicks is a powerful and easy-to-use online risk assessment, risk management and compliance platform connecting businesses and service providers.