back to article UK privacy watchdog threatens British Airways with 747-sized fine for massive personal data blurt

The UK Information Commissioner's Office has warned British Airways it faces a whopping £183.39m fine following the theft of customer records from its website and mobile app servers. The record-breaking fine - more or less the lower end of the price of one of the 747-400s in BA's fleet - under European General Data Protection …

Page:

  1. Doctor Syntax Silver badge

    "BA and the other regulators now have 28 days to make representations to reduce the fine."

    Why would the other regulators want to reduce it?

    On the wider issue I can imagine a few penny-pinching manglements and boards having this report thrust in their faces by their underlings this morning.

    1. Ken 16 Silver badge
      Childcatcher

      GDPR-exit

      No reason for Spain or Ireland to ask, but come November the UK Data Protection rules might drop the level for fines.

      1. Phil O'Sophical Silver badge

        Re: GDPR-exit

        come November the UK Data Protection rules might drop the level for fines.

        There's no reason to think so.

        If UK businesses want to continue to do business with EU companies they will have to maintain GDPR-level data protection after Brexit, just as other non-EU states like the US have to.

        Before GDPR the UK already had higher maximum fines (£500,000) than either France or Germany (€300,000), indeed UK consumer protection legislation is consistently better than the EU minimums.

        1. Claverhouse Bronze badge

          Re: GDPR-exit

          If UK businesses want to continue to do business with EU companies they will have to maintain GDPR-level data protection after Brexit, just as other non-EU states like the US have to.

          .

          Who says the British will WANT to do business with EU people after Brexit ? The whole point is to stride bravely forth into the Atlantic, casting all ties behind, and having nothing to do with those dodgy foreigners and their beastly regulation.

          .

          Aside from that I can easily see Boris impulsively having a bonfire of all regulations in an excess of Bullingdon Daily Telegraph libertarian zeal, not even noticing what this one was for. This is a person who, after all, deliberately lied about EU regulations in his columns, as he cheerfully admitted, in order to stir up dislike and have fun.

        2. Alan Brown Silver badge

          Re: GDPR-exit

          "Before GDPR the UK already had higher maximum fines (£500,000) than either France or Germany (€300,000), indeed UK consumer protection legislation is consistently better than the EU minimums."

          There's a difference between having them on paper and actually enforcing them.

        3. ocflyfish

          Re: GDPR-exit

          "If UK businesses want to continue to do business with EU companies they will have to maintain GDPR-level data protection after Brexit, just as other non-EU states like the US have to."

          Don't be so sure on this. Most of the US-based SMBs have laughed/scoffed/ignored the EU directives on collection of VAT and will likely do the same with GDPR. Don't get me wrong, large multinational corporations will probably comply. But the 29.7 million small businesses here will likely politely tell the ICO to stuff it.

        4. LewisCowles1986

          Re: GDPR-exit

          Why are you comparing minimum fines with maximum fines. That's like saying my boss pays me well, I'm on £5 an hour, he's on £100 a second.

          Also £500,000 is a tiny fine for any moderately sized business. The point should be to make the fine high enough to cause damage, whilst low enough to not make the company go bust, as you cannot learn from mistakes that kill

          In any case it's valuing the impacted at < £500 per-person.

      2. Doctor Syntax Silver badge

        Re: GDPR-exit

        Several factors to consider here.

        Firstly< offences committed after GDPR applied up until 31st Oct will presumably have to be dealt with under GDPR, just as offences committed pre-GDPR but dealt with after GDPR applied were fined under the old regulations.

        Secondly, if HMG wants to avoid problems for businesses which need to process data of EU residents then they'll need to achieve equivalence which means keeping GDPR-equivalent regulation in place. Whether such sanity will prevail is anybody's guess.

        Thirdly, the current DPA implements GDPR so if the numpty in residence, whoever he may be, doesn't like that he'll have to replace it or repeal it.

        Fourthly, post-Brexit, I presume any fines won't be shared with other EU countries so they may be less to take into account of fines which an EU regulator might apply. Alternatively the maximum sum of EU & UK fines could be 8%. That should make boards think.

      3. 0laf Silver badge
        Thumb Up

        Re: GDPR-exit

        It's been made pretty explicit that the UK will maintain compliance with the GDPR in order to keep exchanging data with the EU.

        That might change over the few years as the USA gradually takes us over.

        It's actually great that a company is really getting hit with a real stinker of a fine. It'll sharpen up practices across the board I hope.

        1. Ken 16 Silver badge

          Re: GDPR-exit

          I wasn't suggesting that the regulations will change and as you say, the UK want to maintain equivalency of regulation. I was suggesting that although the requirements may remain the same, there's an option to drop the penalties for breaching them.

          1. Anonymous Coward
            Anonymous Coward

            Re: GDPR-exit

            The penalties are part of the regulations. See, I'm rather sure the EU would notice keeping the same data handling constraints, but with a nudge and a wink as maximum penalties.

          2. Prst. V.Jeltz Silver badge

            Re: GDPR-exit

            come November the UK Data Protection rules might drop the level for fines.

            Your statemant implies we are imposing higher fines as an EU requirement , how could you then possibly discard that requirement and still "maintain equivalency of regulation"

            if that was negotiable we could drop them now , and who wants them lowered anyway?

            1. 0laf Silver badge

              Re: GDPR-exit

              I imagine quite a few large buinesses who hold huge quantities of personal information on systems and services that have been deliberately starved of resources to maintain them adequately will be very keen to see fine watered down.

              I'm sure Boris will be keen to help since that naughty EU was hardly a friend to business. Much rather we have a US style system where privacy is largely illusary unless you have money to take everyone to court making citizens a resource and a commodity increasing GDPR.

      4. Moog42

        Re: GDPR-exit

        Nope. Can't maintain adequacy on that basis.

        Numbers differ, but I've heard that UK trade impacted by personal data is in the range of 44%. Not sure impacting that would be in the interests of either side of the Brexit fence.

      5. cynic56
        Unhappy

        Re: GDPR-exit

        Why? I'm sure that I read that American 3-letter agency and general 'we own the world' attitude meant that Safe Harbour was dead and no-one would deal with the US corporate data harvesters because it was now illegal. My arse! All I have seen is an unremitting wave of business to AWS and Microsoft cloud.

        Oh and by the way, stop correcting 'harbour' to the incorrect 'harbor' . I am still on the side of the pond that can spell proper (like).

  2. Anonymous Coward
    Anonymous Coward

    What goes around comes around....

    From: IAG GBS Communications <iaggbs.communications@iaggbs.com>

    Sent: 21 June 2019 14:48

    To: DG IAG GBS Global Operations <DG.IAGGBS.Global.Operations@iaggbs.com>

    Subject: ★ IAG GBS MC Update ★

    IAG GBS MC Update

    Dear IAG GBS Team,

    You will have seen the announcement today from Willie announcing the new IAG CIO appointment of John Gibbs, who joins IAG on September 2nd from Rolls Royce.

    This is a new direction for IT and shows how critical IT strategy is across the Group. The emphasis of bringing all IT activities under one area including Digital is the next step in the evolution of Group IT.

    Bill Francis made it clear to me at the end of 2018 that he planned to retire at the end of 2019 and hence why we commenced a recruitment process. I would personally like to thank Bill for all his dedication and determination to get us ready for the future. Bill has done a fantastic job ensuring we are ready to transition to the cloud, whilst exploring and utilising the latest technologies.

    Bill said “After 40 years in the travel industry, with 22 of those at BA and more recently IAG, I have thoroughly enjoyed my time working with all colleagues across the Group.

    Change and transformation have always been at the top of my agenda, and whether that was introducing the new mixed fleet cabin crew for BA or creating Group IT within IAG, I hope that I have been able to make a positive difference”.

    Regards,

    Steve Gunning

    Director of IAG GBS

    1. werdsmith Silver badge

      Re: What goes around comes around....

      What comes and goes I imagine is a fairly sizeable wodge of cash and a final salary scheme.

      I'm sure he's not too troubled.

      It will be ordinary BA employees that pay the price.

    2. Anonymous Coward
      Anonymous Coward

      Re: What goes around comes around....

      Is it me or does that note read like the outgoing head of Group IT was an Airline Ops guy, not an IT guy?

      Reading between the lines it seems like a Ops transformation guy was put in charge of creating/transforming Group IT?

      Anyone wiser in the ways of IAG care to comment?

      1. Doctor Syntax Silver badge

        Re: What goes around comes around....

        "Is it me or does that note read like the outgoing head of Group IT was an Airline Ops guy, not an IT guy?"

        Should it surprise anyone? It's the management attitude that a good manager doesn't need to know anything about what they're managing. That's why we get to call them manglement.

        1. CrazyOldCatMan Silver badge

          Re: What goes around comes around....

          a good manager doesn't need to know anything about what they're managing

          As long as they have good people that do know and that the manager trusts then they really don't. Good management isn't (generally) about knowledge - it's about people skills and process skills.

          (Of course, people skills are probably the reason why there are very few good IT people in senior management since good IT skills and abilities seem to be the opposite of skills required to reach senior management..)

          1. nematoad Silver badge

            Re: What goes around comes around....

            "...good IT skills and abilities seem to be the opposite of skills required to reach senior management..."

            I don't know about that. Try working on a site that has the ability to blow the nearby town into the next county, with process operators more interested in keeping the place safe than why the computer won't do what it needs to do and is thus pretty upset with IT and the IT department in general and is in no mood to wait or be fobbed off.

            I did that as a desktop support person and believe me a having a 17 stone Scot raging at you as to why you can't fix the computer NOW needs a lot of people skills. If you had said skills most of the guys were fine once you explained what needed to be done and what you proposed to do about it. Same with senior management. The trouble was with the middle layers. Noisy, demanding and cursed with a minuscule amount of "computer literacy" those were the ones to avoid if at all possible. Dealing with them meant you really got a "people skills" workout as well as developing techniques for controlling blood pressure, temper etc.

            So yes, you don't get to develop arse-licking and back-covering but that again this is top brass we are talking about and I reckon those skills would only qualify you for a middle level job.

      2. boltar

        Re: What goes around comes around....

        How often have you met an IT director who knows much about IT? They're either parachuted in from another area or they're former devs /admins who - after suitable brown nosing ground work - were promoted out of harms way and managed to continue that for years.

      3. werdsmith Silver badge

        Re: What goes around comes around....

        Is it me or does that note read like the outgoing head of Group IT was an Airline Ops guy, not an IT guy?

        I think he was head of "Inflight Experience" which means he was chief cabin crew.

        1. CrazyOldCatMan Silver badge

          Re: What goes around comes around....

          he was chief cabin crew

          Exits are here, here and here.

          *My* exit is over there - the one with the big bucket of cash waiting for me. Just think of all the fake tan I can buy!

    3. Annihilator
      Coat

      Re: What goes around comes around....

      "You will have seen the announcement today from Willie announcing the new IAG CIO appointment of John Gibbs, who joins IAG on September 2nd from Rolls Royce."

      Ha! Willie...

  3. Anonymous Coward
    Anonymous Coward

    disappointed in the fine because it cooperated fully

    well, that's why it is REDUCED (and going to be watered down more and more until the public lose interest, and in 5 years time, they'll have reduced it to 1 million, it'll be quietly paid). But hey, they had to write SOMETHING in the meantime. They're disappointed.

  4. nematoad Silver badge
    Unhappy

    Wait and see.

    "...had found no evidence that the stolen cards were used"

    Yet.

    1. Gordon 10 Silver badge

      Re: Wait and see.

      tbf I would expect most of the cards to be used pretty quickly. Once a card is known to have been leaked you can pretty much expect it to be cancelled.

      The cynic in me does wonder if they asked their customers or looked for evidence that the cards had been used.

      1. Anonymous Coward
        Anonymous Coward

        Re: Wait and see.

        My wife was one of the cards compromised - to be honest BA were quicker to respond than the bank. They advised us to cancel the cards after a day or so, at which point the bank asked us why we were needing replacements. Then the bank got in touch a couple of weeks later to say if we hadn't already, we should get them replaced.

        BA also provided a 12 month subscription to one of the credit reference agencies for free as well.

        1. jms222

          Re: Wait and see.

          > BA also provided a 12 month subscription to one of the credit reference agencies for free as well

          and paid you for the privilege I hope since they now get to grab even more of your data. What happens if somebody you want to borrow from happens to use only the _other_ credit reference shits instead ?

          1. Anonymous Coward
            Anonymous Coward

            Re: Wait and see.

            Not quite sure how using the credit reference agencies helps BA grab more data?

            But yes, seeing as how I have a perfect score in one agency and a mid tier score in another, I do wonder about things like that.

            1. Phil O'Sophical Silver badge

              Re: Wait and see.

              Not quite sure how using the credit reference agencies helps BA grab more data?

              Those agencies don't operate for free, and if you're not paying them someone else must be. That someone else will want to get something in return. Your data is the obvious coin.

              As always, if you're not paying for the product, you are the product

              1. Doctor Syntax Silver badge

                Re: Wait and see.

                "if you're not paying them someone else must be"

                In this particular case the someone else was BA. The data was just a bonus.

        2. Gonzo wizard

          "BA were quicker to respond than the bank"

          According to this post on twitter - https://twitter.com/musalbas/status/1148145302328815617 - by the person who originally discovered the issue, BA sat on a GDPR request asking why personal details were being leaked for 30 days before responding, removing the dodgy tracking code on the same day. I bet your bank didn't sit on this for 30 days, did they?

          It also explains why the ICO says the incident started at the end of June while BA told them it started in August.

          1. Anonymous Coward
            Anonymous Coward

            Re: "BA were quicker to respond than the bank"

            We got the response from BA about 3 or 4 days after the news found out - then 2-3 weeks later for the bank. So not especially quickly.

    2. Anonymous Coward
      Anonymous Coward

      Re: Wait and see.

      I can almost guarantee the stolen card details were used.

      One of our company credit cards was used fraudulently just after the hack period ended, having been used to make a purchase on the BA website during the hack period. It wasn't used to make purchases on many other sites and certainly none of the others looked to be breached.

      Luckily Barclaycard flagged the transaction and we cancelled the card before any damage was done.

    3. macjules Silver badge

      Re: Wait and see.

      Can and have provided evidence to BA and Met police that 2 cards - my business credit card and my wife’s personal card - were cloned after having purchased flights from BA within the fraud timeline.

      To date I have not received any offers of ‘credit worthiness tracking’ or compensation from BA and I only received the standard round-robin email that they sent out. Costs incurred were time on phone to card company plus having to arrange fast replacements when the fraud became apparent which I billed at 2 hours work. To date my invoice to BA for £350 + VAT remains unpaid.

      1. Doctor Syntax Silver badge

        Re: Wait and see.

        "To date my invoice to BA for £350 + VAT remains unpaid."

        Add interest and then go to the small claims court. If they still don't pay having a bailiff distrain a 747 should be interesting and get their attention.

        1. macjules Silver badge

          Re: Wait and see.

          I want an A320 - no Boeing crap for me. Failing that Terminal 5 will do nicely.

    4. Anonymous Coward
      Anonymous Coward

      Re: Wait and see.

      "...had found no evidence that the stolen cards were used"

      This kind of BS triggers me everytime !

      Of course, genius, whoever uses those cards numbers is not gonna put it in the public press ! and eventhough it is reported, you can always feel free to look the other way.

      FFS, why even is this nonsense reported ?

      1. tip pc Bronze badge

        Re: Wait and see.

        i assume the card processors, issuers or BA's insurance have reported back to BA that the cards haven't been used fraudulently as a result.

    5. LewisCowles1986

      Re: Wait and see.

      What is their fee from Visa / Mastercard for this? AFAIK Visa can charge 4.5k per person per incident per-day

  5. DaLo

    Oh that'll be a nice bit of compensation for the customers whose data was taken due to security failings.

    Doesn't help with the amount of anguish knowing you are just a moment away from being the victim of identity theft and having to once again change your card details and keep constantly vigilant for unauthorised loan applications. However £378 goes a little way towards easing the pain.

    ...wait, what was that?

    You're saying the people whose data got stolen don't get any of it and the money all goes into the general taxation pot?

    Well that sucks.

    1. adam 40 Bronze badge

      Just another tax

      I completely agree, all these fines do nothing to compensate the victims of the theft.

      The companies just carry on regardless, the government fines them, and the public are shafted.

      1. Anonymous Coward
        Anonymous Coward

        Re: Just another tax

        "The companies just carry on regardless, the government fines them, and the public are shafted."

        Yes...the government adds the fines to their big pile of money and never release it back to pay for any services used by taxpayers.

        Is it fair for those directly affected? Probably not but at the same time proving they were affected may be difficult based on the stories of affected people with banks blocking transactions and a significant number of the cards being replaced quickly.

        The company fine goes towards the "public good" and those directly affected benefit more than if they employed lawyers to go after the company directly. Which is good for everyone but the lawyers...

  6. Warm Braw Silver badge

    Scripts are often used to support marketing and data tracking functions

    You would hope that fines such as these would help companies quantify the cost of gathering the information they "have to have" on their marketing activities.

    However, I suspect the typical response will be to sack a few developers who were required to provide the tracking, then sack a few more who refuse to take on the future responsibility, then carry on exactly as before. As in the crypto "debate", the ability of people in power to demand two mutually-exclusive things simultaneously shows no sign of faltering.

    1. Doctor Syntax Silver badge

      Re: Scripts are often used to support marketing and data tracking functions

      I'd like to think they'll also evaluate their policies re opt-in/opt-out.

      E.g. this morning I tried to phone Hotpoint spares. Their pre-recorded rigmarole was that we might spamyou with post or phone unless you opt-out. That's a breach of GDPR right there. I didn't get as far as opting out, however; I gave up on their appalling ACD.

      1. Alan Brown Silver badge

        Re: Scripts are often used to support marketing and data tracking functions

        "Their pre-recorded rigmarole was that we might spamyou with post or phone unless you opt-out"

        Every so often I send heads-up emails about such things to the ICO. Apart from the canned responses nothing gets done and I'll invariably find that the same message is on the phone system when calling several months later.

  7. Potemkine! Silver badge

    The group is believed to have exploited third party scripts, possibly modified JavaScript, running on BA's site to gain access to the airline's payment system.

    Noscript rulz!

    When a website doesn't work with noscript on because it uses 3rd party javascript then I try to find an alternative. and the original website looses a customer.

    1. mikeo

      Great solution

      ...for 0.2% of people.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019