When companies such as Flipboard discover that someone’s been lurking on their servers for months, it isn’t always a case for alarm, and a password reset can wash it all away. That isn’t the case with British Airways though, who was recently fined by the Information Commissioner’s Office (ICO) for a GDPR data breach last year that saw the personal and financial information of around 500,000 customers in the hands of cybercriminals.
The ICO earlier today announced it wants to fine BA around £183 million (or $230 million), which happens to be the largest ever issued by the agency, and a much bigger blow than the £500,000 one dealt to Facebook for failing to protect user data for 87 million people. Facebook's penalty was a slap on the wrist in comparison.
The BA data breach involved login, address, payment card information and booking details. Information Commissioner Elizabeth Denham said that loss of personal data is inexcusable, and “more than an inconvenience”, and made it clear that companies big and small should be more responsible with handling sensitive customer data if they wish to avoid scrutiny and hefty fines.
It’s worth noting that while Facebook got away with a relatively smaller fine for the same offense due to GDPR not having come into force, British Airways has been fined just 1.5% of its estimated global earnings – compared to 4% which is the maximum extent by GDPR law. In any case, BA chairman Alex Cruz said the company is “surprised and disappointed” by the decision, which leaves it only 28 days before it becomes final.
The same hacker group that stole data from British Airways has also managed to do the same with Newegg, and with US legislators also looking to push a GDPR-like bill on the other side of the ocean, companies are scrambling to comply. Earlier this year, big companies like Microsoft and Apple paraded their own efforts to comply with GDPR-style guidelines even outside the EU, and both called for tech industry regulation.