Just about every major news outlet in the UK has the same headline for the BA data breach: “BA faces record £500M fine for data breach!“. Some are not content with even this degree of utter nonsense and are actually making things worse by saying that affected passengers are now “threatening boycott“.
I can only assume these morons are short-selling BA stock in order to cash in on their otherwise total journalistic ignorance and complete lack of integrity.
I was personally affected by the breach, and I can assure you I will not be giving my business to Easy Jet as a result.
Yes, I am pissed off. Here’s why:
- The fines under GDPR for a data breach are 2%, not 4% so off the bat the headline should be “BA faces record £250M fine for data breach!” – this one shows either ignorance of the regulation, a deliberate attempt to dramatise the headline, or plagiarism;
- The maximum fines under GDPR are reserved for the most egregious offences, not any offence, and must at all times be “effective, proportionate and dissuasive” (Art. 83(1)) – explain to me how a half-BILLION pound fine for the loss of 380K payment cards is in any way ‘proportionate’ given the apparent sophistication of the attack;
- Loss of payment card details is already covered under the Payment Card Industry Data Security Standard (PCI DSS), as are appropriate fining / recompense structures – so why would the ICO jump in and investigate when there is a program in place already, and has been for over a decade? For what it’s worth, the fine for the loss of 380K payment cards under PCI would be in the order of £2.5M, if one is given at all;
- According to Art. 34(1), you may assume BA had no choice but to notify the data subjects of the breach; “When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.”, but seeing as all fraud losses related to breached payment cards is actually covered by the card issuers, can this really be called ‘high risk’? BA did it anyway;
- There is no such thing as 100% security – if someone with the right skill-set and patience wants in, they’re getting in, and there’s nothing you can do to stop it. You protect data to a level appropriate to its value, and no matter what business you’re in, there will always be gaps. Always.
- I have worked with the BA security team in a previous life, and I VERY much doubt this breach was either negligence or incompetence, they take security very seriously. This by itself would negate a huge chunk of the GDPR fine, and their obvious pro-activity related to every other factor in Art. 83(2) should negate the vast majority of the rest.
Bad news sells, I get that, but I will forever be disgusted by journalists hell-bent on destroying the image of good people and otherwise good organisations for the sake of a brief and anaemic limelight and a few column inches.
It takes an incredible variety of skills to design and build a house, any idiot with a bulldozer can knock one down.
It will be your turn soon, it’s just a matter of time.
[If you liked this article, please share! Want more like it, subscribe!]