UK ICO Levies GDPR Fine of £20 Million for British Airways 2018 Data Breach, Substantially Less Than the Initial £183 Million

By Scott Ikeda for CPO Magazine
Thursday, October 22, 2020

• 1.9k
• 16
• 16
• 16
• 8
• More
• 16
• 16
• 16

The 2018 data breach that exposed the personal information of over 400,000 British Airways customers will cost the company £20 million, in the form of one of the largest GDPR fines to date. The UK ICO’s decision found that the travel giant was negligent due to “poor security arrangements” creating a hole in the network that was exploited by attackers for two months before being discovered.

Are massive GDPR fines the solution?

Of course, the airline also managed to drag out an appeal for over a year (aided beyond that by the sudden appearance of the pandemic) and ended up paying what amounts to only a very small fraction of its annual turnover, so one must wonder if even the largest of these fines are really providing the teeth necessary to convince organizations to spend more heavily on security solutions. Ilia Kolochenko, Founder & CEO of ImmuniWeb, also believes that even this relatively modest cost will not end up being any kind of a burden on the company: “The road to hell is paved with good intentions. BA will likely shift the £20 million cost to passengers and employees, as most other companies would probably do. During the pandemic, exemplary penalties aimed to strongly deter others, likely mean more layoffs and less quality of service. While cybersecurity budgets will probably remain intact or even continue their decline. Moreover, in large organizations, even £20 million is just a fraction of the overall security budget thus it may simply mean that paying a “record” penalty is cheaper than investing into a robust and holistic cybersecurity program.”

So what is the answer? Kolchenko does not see maximum GDPR fines or even incarceration for CEOs as making a difference. Instead, he suggests focusing on pouring resources into taking down the hacking groups responsible for these breaches: “To make our digital lives safe and secure, governments should also consider supporting cybersecurity efforts of companies and organizations. This includes efficient and effective cybercrime investigation units, capable of apprehending hackers, send them to jail and recover at least a part of the stolen loot or disgorge their illicit profits. With the mushrooming data protection laws and regulations, from overhyped GDPR to relatively young CCPA, harsh penalties against companies that create jobs and pay taxes – are counterproductive when the state is toothless against cyber gangs that operate in impunity.”

While it’s possible that this approach may be more effective than GDPR fines in reducing hacking complications, it does not account for two other substantial data breach causes: employee error and insider compromise. A report from early 2020 found that 90% of data breaches reported to the UK ICO were attributed to an end user error. Misconfigurations and improper updating/patching are common mistakes that create openings without any involvement by a threat actor. And while insider threats remain relatively minor in the UK, globally it is on the rise as a breach cause with both the amount of incidents and the expected cost rising by double-digit percentages globally in recent years. Read Full Article