British Airways Fined Under GDPR For 183m Pounds!
Talk about sending a message. Under GDPR, the Information Commissioner’s Office (ICO) fined British Airways (BA) 183m pounds ($229.45M USD) for its 2018 data breach. Which is approximately 1.5% of their annual global turnover but still less than the 4% they could have been fined for under GDPR. Still the fine represents about 6% of their 2018 profit. Wow. Of course, BA can contest the fine and the final penalty could be different, but the message has been sent.
The fine is not for the breach itself but for BA’s “poor security” as stated by the ICO. Here is where, I believe, the crux of the privacy and cyber security debate rests, and why I personally feel that privacy (and privacy legislation) will continue to drive cyber security.
Follow me for a second, as it relates to GDPR, a company has a breach that exposes 500,000 customer records, an investigation is done by an independent investigative body like the ICO, they determine based on their broad level of understanding of industry best practices that the company did not follow those best practices and the fine is levied because of poor security practices. You can see how GDPR, through privacy, is affecting what has historically been in the cyber security realm. Of course, this is just one example, however this example is what companies most fear.
As another example, let’s say a misconfiguration of AWS or Azure cloud bucket caused the exposure of millions of consumer records. An investigative body comes in to investigate the root cause of the breach. The company in question has to admit that, they weren’t the victim of a sophisticated attack, they just didn’t configure the cloud bucket correctly. That’s poor security and that is a large fine! Maybe not the first company but the more breaches that hit the news and the root cause is a misconfiguration of a cloud bucket, all companies are now on notice that they should be paying attention to this issue. The more awareness there is to an issue, the larger the fine if you fall victim to it. That’s how I see it anyway and unfortunately nothing has happened in the cyber security space to change poor security hygiene and this is where privacy, I believe, will change the game.