Welcome to WebmasterWorld Guest from 18.232.124.77

Forum Moderators: webwork

GDPR: Data Breach Fine 183 Million for British Airways

     
1:38 pm on Jul 8, 2019 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:May 9, 2000
posts:26238
votes: 998


The UK's ICO (Information Commissioners Office) has fined British Airways 183 million over last year's data breach where around 500,000 BA customers had been affected.
Data included log-ins, payment card details, travel details, names and addresses.
This is the largest fine, by far, the ICO has made, and comes as a result of the new GDPR rules.
BA said it would appeal the decision.

[bbc.co.uk...]
1:47 pm on July 8, 2019 (gmt 0)

Senior Member

WebmasterWorld Senior Member Top Contributors Of The Month

joined:Nov 13, 2016
posts:1193
votes: 280


The GDPR set the maximum penalty to 4% of turnover.
The BA penalty amounts to 1.5% of its worldwide turnover in 2017, less than the possible maximum.
the proposed penalty is roughly 367 times as high as the previous record fine, the 500,000 imposed on Facebook over the Cambridge Analytica scandal.


What the story is not saying is, how BA was guilty ... they loosely mention "poor security arrangements", but not exactly what BA did, or did not do.

I dread the day my server will be hacked ... I am ultra paranoiac, I am not storing "sensitive" information, doing everything to protect the server, the data, etc... but still, I know that one day or another I'll be hacked no matter what... I wish authorities would deploy as much resources to track hackers than they do to track companies which have been hacked ... (even if sometimes these companies are faulty of course)
3:24 pm on July 8, 2019 (gmt 0)

Senior Member

WebmasterWorld Senior Member Top Contributors Of The Month

joined:Apr 1, 2016
posts:2662
votes: 794


@Dimitry
I know that one day or another I'll be hacked no matter what... I wish authorities would deploy as much resources to track hackers than they do to track companies which have been hacked ...

You hit the nail on the head with this statement.

For a company like BA or FB, hundreds of millions in fines is just the cost of doing business. The amount is unlikely to even cause a measurable change in the share price. But for small business the cost of compliance will likely exceed the 4% of turnover, and as you state, even then there is no guarantee that one wont get hacked.

So really who is this regulation helping? The big companies are not really concerned by it, and these are the companies that are putting the most data at risk. While the small companies pay the biggest price with the least data at risk, in most cases the risk negligible.
3:51 pm on July 8, 2019 (gmt 0)

Senior Member

WebmasterWorld Senior Member Top Contributors Of The Month

joined:Nov 13, 2016
posts:1193
votes: 280


Yes, I was saying something more or less similar in this topic : [webmasterworld.com...]
4:22 pm on July 8, 2019 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:May 9, 2000
posts:26238
votes: 998


I was also reading about the fines and where they go. If the fines were ringfenced and used specifically to chase down hackers, or even went to charity, or towards recompencing the affected individuals I'd be a lot happier.
Also, is this really proportional?
I have experience of a hack which took place a number of years ago, and I'm still getting plagued by theives claiming to be from the specific company. They have my details. The crazy thing is that the thieves seem to think that the old details are still current from five years ago.
It's part of life, i guess.
4:27 pm on July 8, 2019 (gmt 0)

Senior Member

WebmasterWorld Senior Member Top Contributors Of The Month

joined:Nov 13, 2016
posts:1193
votes: 280


Call me a conspiracy theorist, but I am sure that countries like the USA, China, and Russia, have the technologies and resources to track down hackers. I don't believe that hackers are smarter than the intelligences of these countries...

By the way, I am off-topic, but this is bringing dark souvenirs of something I experienced in the 90's...
7:37 pm on July 8, 2019 (gmt 0)

Senior Member from CA 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Nov 25, 2003
posts:1336
votes: 429


Here is an explanation of the BA breach from just after it was discovered: Inside the Magecart Breach of British Airways: How 22 Lines of Code Claimed 380,000 Victims [riskiq.com].

Basically an infected javascript library phoned home with customer PII. BA failed on at least two basic security counts:
* the cracked library was years out of date.
* the crackers managed access and write permission.

The attack was basically at a script kiddie level, this was not some sophisticated 1337 h4x0r sophisticated crack. Put simply BA was, in web payment security terms, grossly negligent. And, as we know from previous fines for egregious PII breaches over the years they were simply received as a cost of doing business. Making the cost hurt may just make the recipient as well as others treat security as as a necessary requirement and not a joke.

However, as BA has said they will appeal I expect the fine will be rolled back 'in the national interest' or similar and impetus for change will dissipate once again. That said: good on you, Elizabeth Denham (ICO Commissioner), good on you.

....


Call me a conspiracy theorist, but I am sure that countries like the USA, China, and Russia, have the technologies and resources to track down hackers. I don't believe that hackers are smarter than the intelligences of these countries...

Over time, yes but it takes a lot of effort and can be impossible in each specific instance if the cracker knows what they are doing. Eventually usually a mistake is made in a given instance (EG: if there is a 1% chance of being caught and one doesn't stop...) and code fingerprints tie back to other cracks.
Then, while the cracker may be 'identified' it may be an alias and not a true identity.
Also, the cracker may be currently jurisdictionally untouchable unless travels to where 'gettable' and law enforcement is aware.
And lastly, governments are motivated by national security and politics - a strictly business crack is rarely seen as either.
6:53 am on July 9, 2019 (gmt 0)

Senior Member

WebmasterWorld Senior Member Top Contributors Of The Month

joined:Nov 13, 2016
posts:1193
votes: 280


Thanks @iamlost for the details. One more reasons I am never using third part libraries :)
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members