British Airways

BA Faces £500M Fine: Shut Up and Get Your FACTS Straight!

Just about every major news outlet in the UK has the same headline for the BA data breach: “BA faces record £500M fine for data breach!“. Some are not content with even this degree of utter nonsense and are actually making things worse by saying that affected passengers are now “threatening boycott“.

I can only assume these morons are short-selling BA stock in order to cash in on their otherwise total journalistic ignorance and complete lack of integrity.

I was personally affected by the breach, and I can assure you I will not be giving my business to Easy Jet as a result.

Yes, I am pissed off. Here’s why: 

  1. The fines under GDPR for a data breach are 2%, not 4% so off the bat the headline should be “BA faces record £250M fine for data breach!” – this one shows either ignorance of the regulation, a deliberate attempt to dramatise the headline, or plagiarism;
  2. The maximum fines under GDPR are reserved for the most egregious offences, not any offence, and must at all times be “effective, proportionate and dissuasive” (Art. 83(1)) – explain to me how a half-BILLION pound fine for the loss of 380K payment cards is in any way ‘proportionate’ given the apparent sophistication of the attack;
  3. Loss of payment card details is already covered under the Payment Card Industry Data Security Standard (PCI DSS), as are appropriate fining / recompense structures – so why would the ICO jump in and investigate when there is a program in place already, and has been for over a decade? For what it’s worth, the fine for the loss of 380K payment cards under PCI would be in the order of £2.5M, if one is given at all;
  4. According to Art. 34(1), you may assume BA had no choice but to notify the data subjects of the breach; “When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.”, but seeing as all fraud losses related to breached payment cards is actually covered by the card issuers, can this really be called ‘high risk’? BA did it anyway;
  5. There is no such thing as 100% security – if someone with the right skill-set and patience wants in, they’re getting in, and there’s nothing you can do to stop it. You protect data to a level appropriate to its value, and no matter what business you’re in, there will always be gaps. Always.
  6. I have worked with the BA security team in a previous life, and I VERY much doubt this breach was either negligence or incompetence, they take security very seriously. This by itself would negate a huge chunk of the GDPR fine, and their obvious pro-activity related to every other factor in Art. 83(2) should negate the vast majority of the rest.

Bad news sells, I get that, but I will forever be disgusted by journalists hell-bent on destroying the image of good people and otherwise good organisations for the sake of a brief and anaemic limelight and a few column inches.

It takes an incredible variety of skills to design and build a house, any idiot with a bulldozer can knock one down.

It will be your turn soon, it’s just a matter of time.

[If you liked this article, please share! Want more like it, subscribe!]

16 thoughts on “BA Faces £500M Fine: Shut Up and Get Your FACTS Straight!

  1. Thanks David for evangelizing Information Security and being the voice in the “ignorance” desert calling “REPENT of your sins of badmouthing without ANY verifiable facts and EDUCATE yourselves before spreading FALSE news”. Kudos to you, bro!

  2. The banks here are woefully ill equipped to deal with ever increasing online fraud – it is rife, its just going unreported.

    Their procedures & processes – especially with Nationwide and Santander are ill thought out and will never see a suspect identified so there is nothing to prevent/stop it.

    They do not pass information over in a timely fashion and have zero interest in helping the police.

    By the time it does get to the police (action fraud), they take 6 weeks to look at it – most logs on servers will have gone.

    As for the reporters – this is the same fashionable illness as UK businesses saying, “we take security very seriously” when they have just been hacked and didn’t know about it for 2 weeks.

    The other one I love is no payment details were released when they haven’t got a scooby what happened.

      • The point here is, we have companies saying they ‘care so much about security’ when it’s said the offending 22 line script was on their own server.

        I have read your response (attack) to Lee, I think it’s pretty poor.

        You know exactly what goes on in these places because they are, in fact, shitholes. Why defend them – they are a business and if they get caught (exposed) then tough shit – spend the money, time and effort in getting it right with prevention like Lee says.

        There is no excuse because you are larger that it should correlate with more lax security “because we cannot possibly do everything” – what kind of thinking is that?

        In each of these issues, things are preventable as Lee says. There is no defending here or comradery to be had.

        Yes they can protect to the degree they would like – its about effort and actually doing it, not putting your fingers in your ears squealing “we’re to big, we cannot possibly prevent ourselves putting leaky scripts on our own boxes” – its down to money, time and effort.

        You cannot have a company saying they take security very seriously when the level of incompetence, (reporting everything is green) in basic IT is so high.

      • So you’ve worked with BA before? You KNOW they’re a “shithole”?

        If you haven’t, why are you so quick to attack them? What experience do you have in defending an organisation of that size and complexity?

        I have never, and WILL never defend incompetence or laziness, but I will likewise NEVER jump on the blame bandwagon when I know damned right well that I too make mistakes.

        Perhaps both you and Lee a lucky enough to work at organisations who can hire the best of the best in all positions. With thousands of IT staff (including grads) and tens of thousands of devices (including legacy) you know as well as I do that 100% checks and balances are impossible.

        Not even the basics are perfect, and no APPROPRIATE use of “money, time and effort” is going to change that despite best intentions.

  3. It can ONLY be described as negligence. There is no sophistication to this attack whatsoever. 22 lines of injected JavaScript, undiscovered for 2 weeks, that could have been entirely prevented by following even a modicum of the security protocols invented in the last decade.

      • I dont think my responsibilities have any bearing on BA’s. Nor do they remove the fact my statement is correct. I’m not entirely sure why you’re refuting that.

      • I’m not refuting anything, it may well have BEEN negligence, I am stating that regardless of what you’ve read about the breach you have no idea of everything else involved. You have jumped instantly to negligence based on nothing but assumptions.

        Assuming you’re in security yourself, here are some assumptions based on what little I know of you:

        1. You have never been higher than middle management because a senior person would understand that ANY breach, no matter how egregious it appears to the outside, is NEVER that simple;
        2. You have never worked for a large organisation because if you had you would understand that NO organisation the size of BA can possibly keep track of every asset to the degree they would like;
        3. You have limited understanding of breadches if you think 2 weeks is a long time;
        4. You are a bad manager because a good manager would assume someone made a MISTAKE before they assumed negligence; and
        5. BECAUSE you assumed negligence, you are looking for the who, not the how, which is meaningless

        I am probably completely wrong, but that’s the thing with assumptions.

        Those in security have a hard enough time dealing with accusations from ignorant leadership and the press, I would expect more empathy from someone in the field.

  4. There you go again, letting facts get in the way of a good story 🙂

    Seems to be an assumption that there is 100% security and any breach will be punished whatever! There is no 100% and never will be and if you have been diligent and just targeted by a more capable foe there might not even be a fine or persistent damage to your business.

    Thanks for putting my mental rant in to words David 🙂

  5. Well said David.
    Why can commentators not realise that a ‘data breach’ does not mean that there was a breach of the GDPR or any relevant legislation? Pretty likely, yes. Definitely so, no.
    And “effective, proportionate and dissuasive” does not mean “maximum” and hardly ever will.
    And reputational loss is sometimes (always?) larger than the fine.

    • I mean, I get it, the title “British Airways Could Face £500M Fine!” grabs your attention far better than “ICO May Invoke GDPR Article 58(2)(d) to Ensure BA Bring Processing Operations into Compliance.” which is probably closer to the truth.
      The ignorance of the masses I understand, but the ignorance of PRESS I cannot accept.

  6. I do note (although the number may just be a coincidence) that SPG Law are trying to get a class-action against BA off the ground for £500M (most of which would presumably be their legal fees)

  7. “I have never, and WILL never defend incompetence or laziness”

    you did above.

    “you know as well as I do that 100% checks and balances are impossible.”

    total nonsense, let’s just lie down and let people waltz in and take the servers out.

    Then “Let’s hope SPG themselves get hacked, I’d laugh my arse off.”

    You really are something – wishing someone to be hacked?

    You must have BA shares.

If you think I'm wrong, please tell me why!

This site uses Akismet to reduce spam. Learn how your comment data is processed.