GDPR Gets Real — British Airways Faces $230 Million Fine for 2018 Breach

July 9, 2019  Jeff B. Copeland

Adjust your estimates upward for potential fines under the GDPR. Britain’s national agency charged with enforcing the EU’s data privacy law just proposed a penalty for British Airways that would be the biggest yet under the law, $230 million, more than 6% of forecast 2019 operating profit, by  The Wall Street Journal’s calculation.

BA announced last year that about 500,000 passenger records had been accessed in August and September, 2018. Threat trackers RiskIQ attributed the attack to the Magecart group that specializes in stealing customer data by JavaScript injection to websites, apps and third party vendors.

The British Information Commissioner’s Office (ICO) cited “poor security arrangements” around log-in, payment cards and travel booking, as well as name and address information.

The airline disputes the ICO’s account. “British Airways responded quickly to a criminal act to steal customers’ data,” said Alex Cruz, British Airways chairman and chief executive. “We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologize to our customers for any inconvenience this event caused.”

“When an organization fails to protect [personal data]  from loss, damage or theft it is more than an inconvenience,” said UK Information Commissioner Elizabeth Denham. "That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

The British Airways proposed fine tops the leaderboard of GDPR penalties — for now. In January, France imposed a $56 million fine on Google for not sufficiently gathering consent for ad targeting. Ireland, a corporate outpost for many US tech firms, reportedly has more than 50 privacy investigations in motion, including cases against Facebook and Apple.

Meanwhile, the New York State Department of Financial Services with its cybersecurity regulations and the State of California with its Consumer Privacy Act, going into effect in 2020, are the tip of the spear in bringing GDPR-style data privacy protection rules to the States.

Protect Yourself from Data Privacy Regulatory Issues

Whether you’re subject to regulation by the EU, US or both, now is the time to run a quantitative risk analysis for your databases of customer information: the strength of the controls surrounding them, the capabilities of likely attackers, the frequency of probable attacks and — with this update to the upper range of potential fines — the potential magnitude of impact of a data breach.

The goal is to achieve a clear picture of your cyber risk in financial terms and plan a targeted, cost-effective response. To see how one RiskLens client, a large financial institution, met that challenge, using a FAIR (Factor Analysis of Information Risk) analysis, read this:

Case Study: Using RiskLens to Meet GDPR and NYDFS Cyber Regulations

The institution investigated drive encryption vs. file encryption to find the best return on investment in meeting the regulations. But here's an important side benefit: The GDPR requires that regulated companies make a "reasonable" effort to protect consumer data – a FAIR analysis provides a documented, defensible argument that a company acted reasonably.  Would that have helped British Airways with the ICO?  Maybe yes or no. But with this kind of money in fines at stake, quantified cyber risk analysis up front sounds like a very prudent investment.