U.K.-based airline British Airways (BA) is facing a record fine of £183 million ($229 million) after suffering a cyberattack in September last year. The U.K. Information Commissioner’s Office (ICO) said it was the biggest penalty it had ever issued and it’s the first to be made public following the implementation of the EU Update to Data Protection Regulation (GDPR).
According to the BBC, BA’s owner IAG was “surprised and disappointed” by the fine.
BA cyberattack and the GDPR fallout
Since coming into place in May 2018, the GDPR stipulates that firms must report a breach within 72 hours. When BA was hit by a cyberattack in September last year, the airline took just one day to inform its customers that details from around 380,000 booking transactions had been stolen, including bank card numbers, expiry dates and cvv codes.
It didn’t take long to find out that these details were taken via malicious script designed to steal financial information by skimming BA’s payment page before it was submitted. This attack, thought to be perpetrated by the same attackers that hit Ticketmaster, Magecart, would allow attackers to see people’s details as they were entered on the page.
Previously, the largest fine issued by the ICO was £500,000. But under GDPR, firms can be fined up to 4% of turnover. In BA’s case, the maximum fine would be £500 million. And that’s in addition to the class action lawsuits becoming commonplace among disgruntled customers. Forbes has the story:
We're Still Not Ready for GDPR? What is Wrong With Us?
Sara Peters, Senior Editor at Darkreading wrote an excellent article about GDPR. It is both reprimanding and encouraging to get off our collective butts and do something about GDPR very soon. If potential penalties of 20 million euros or 4% of your global annual revenue, whichever is higher, don't help us obtain better budgets, then we're doing something wrong. The article starts out with:
"The canary in the coalmine died 12 years ago, the law went into effect 19 months ago, but many organizations still won't be ready for the new privacy regulations when enforcement begins in May.
If you've been comforting yourself with the thought "I'm sure there will be a grace period for the EU's General Data Protection Regulation," think again, pal, because this is the grace period, and it's almost over. May 25, 2018 enforcement actions for GDPR begin, many if not most of us aren't ready, and we really have no good excuse.
Two out of every five respondents to a new survey released Thursday by Thales stated that they don't believe they'll be fully prepared for GDPR when enforcement actions kick in, specifically 38% of respondents in the UK, 44% in Germany, and 35% in the US.
Other recent surveys turn up similar results. Aside from the fact that GDPR officially went into effect in 2016, why is this privacy law and the controls it requests coming as such a surprise? We should have seen this coming from 10 miles and 12 years away." I strongly recommend you read this article right now:
Once you have read it, you'll understand the urgency. Then, go to the KnowBe4 Modstore and step through the Preview of the GDPR module. It's available in 24 languages now: