Stay up to date with notifications from The Independent

Notifications can be managed in browser preferences.

The £183m British Airways fine is a game-changer for consumers

Inside Business: Penalties from the Information Commissioner of up to 4 per cent of turnover should incentivise investment in cybersecurity 

James Moore
Chief Business Commentator
Monday 08 July 2019 11:14 EDT
Comments
Organisations which hold our data have a responsibility to do what whatever it takes to keep it secure
Organisations which hold our data have a responsibility to do what whatever it takes to keep it secure (Simon Calder)

They’re fining us when we’re the victims? Poor us!

That’s what British Airways’ reaction to being told by the Information Commissioner’s Office (ICO) of an intent to fine the airline £183m over a data breach last year feels like.

Here’s Alex Cruz, chair and chief executive: “We are surprised and disappointed in this initial finding from the ICO. British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft.”

There was then the standard “we apologise to our customers for any inconvenience this event caused” at the end of his quote, which will probably come as slim comfort to those whose details found their way into the hands of criminals during the breach.

Around 500,000 of them were diverted to a fraudulent website while they were trying to use BA’s. It harvested their details. The breach went on for several weeks, and while it did not include the passport details and travel information of those caught up in it, it did include their credit card details.

Improvements were, BA said, subsequently made.

Now it could just be me, but the victims here are the people who had their details stolen, not BA. Yes, crooks were responsible for the thefts, and yes they should be pursued and punished. But their activities don’t and shouldn’t absolve the airline of responsibility. Quite the reverse.

Organisations which hold our data have a responsibility to do what whatever it takes to keep it secure. The regularity with which breaches have been reported suggests too many of them haven’t been doing enough.

Unfortunately for the watchdogs charged with getting them to pull their virtual socks up, the previous maximum fine that could be levied was just £500,000. The framework they were operating under was woefully inadequate. For a company like BA, that’s a drop in the ocean.

It is the EU’s General Data Protection Regulation (GDPR) that has changed the rules of the game.

Under it, the ICO can levy fines of up to 4 per cent of companies’ turnover.

Of course, it’s one thing to have that sort of power, and quite another to use it. It is to the ICO’s considerable credit that it has made clear that it will do so.

BA’s proposed fine actually amounts to 1.5 per cent of its turnover. So you could make the case that it has been given plenty of credit for co-operating with the authorities and making the improvements its bosses have been banging on about.

You could even make the case that it is getting off relatively lightly.

If the penalty is confirmed – and I imagine that the ICO will have prepared itself for trouble from the first company to fall afoul of new rules – the fine should prompt some serious thought among corporate Britain’s IT chiefs. Scratch that. It should create some serious thought among its CEOs and finance directors.

Fines like that are big enough to hurt. They should incentivise greater investment in data security. If that’s the result of this, it will be a most welcome development for consumers at the sharp end.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in