British Airways plane

British Airways Hit With Record $229 Million Fine After 2018 Hack

The airline, along with Mariott International, is facing harsher penalties for not properly protecting customers’ personal data prior to cyberattacks.

British Airways, the second largest airline in the United Kingdom, could have to pay a record fine of over 183 million pounds, or about $229 million, for a hack that exposed the private data of hundreds of thousands of customers. The penalty is the largest ever issued by the Information Commissioner’s Office, the British agency tasked with protecting citizens’ data privacy.

An investigation conducted by the ICO found that the airline’s lack of security measures allowed for hackers to “harvest” personal data of 500,000 customers for several months in the summer of 2018. The incident involved diverting customers from the British Airways website to a fraudulent site where users entered their names, email addresses, travel details and credit card information.

Since the attack, the company has made improvements to its security operation and cooperated with the investigation, according to the ICO.

“People’s personal data is just that – personal,” ICO commissioner Elizabeth Denham said in a Monday statement. “When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it.”

She added: “Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."

The announcement came in the wake of new regulations in the U.K., introduced last year, that make it mandatory for companies to report security breaches to the ICO. The changes to the General Data Protection Regulation (GDPR) also increased the maximum penalty to 4 percent of the corporation’s turnover, or yearly net sales. While the fine on British Airways was the largest ever levied by the agency, it was only about 1.5 percent of the airline’s turnover in 2017, according to the BBC.

“If there was any doubt that regulators would enforce GDPR, the ICO’s decision to hand down an unprecedented, if unexpectedly, stiff penalty will surely put that to rest and leave all companies under GDPR anxious about data security and privacy,” said Alex Calic, the strategic technology partnerships officer for The Media Trust.

It doesn’t look like the regulator is slowing down anytime soon. On Tuesday, the ICO announced its intention to fine Mariott International over 99 million pounds, or $124 million, for a data breach that led to the exposure of 339 million sensitive guest records, 30 million of which were related to European residents.

The ICO investigators concluded that Mariott failed to undertake “sufficient due diligence” when it bought Starwood, a group of hotels that had its reservation database hacked in 2014, eventually exposing the data of over 500 million guests. The attack was only discovered and reported to the regulator in November.

Tim Erlin, the vice president of product management and strategy at cybersecurity company Tripwire, said the regulations “walk a fine line” between improving security and blaming the victim of criminal activity.

“In order for GDPR to remain effective, the supervisory authorities have to levy fines appropriately, and specifically in cases where clear negligence was present,” Erlin said. “It’s fair to expect organizations to safeguard sensitive data, but even an organization delivering above average protection can fall victim to a sophisticated attacker. Very simply, cybersecurity isn’t a solved problem.”

Both companies will have the opportunity to argue for a reduction in the fine before the ICO makes its final decision. Regardless of the outcome, security experts say the severity of the British Airways penalty should be a wake-up call to companies about the importance of data security.

“The message is clear,” Calic said. “If you collect consumer data, you’d better make sure it’s safe and know who has access to it.”

Featured

  • Top 5 Cybersecurity Trends of 2023

    Top 5 Cybersecurity Trends for 2023

    Cybersecurity is a rapidly evolving field, and staying on top of the latest trends is essential for organizations looking to protect themselves from cyber threats. Read Now

  • See How Reddit Users Have Unlocked the Dark Side of ChatGPT

    See How Reddit Users Have Unlocked the Dark Side of ChatGPT

    In less than four months after its debut, ChatGPT continues to garner attention from users all around the world who have made use of the AI system that answers questions, creates computer code, and much more. Read Now

  • Enforcing Zero Trust in a Hybrid Work Environment

    Enforcing Zero Trust in a Hybrid Work Environment

    The effects of the pandemic have rippled across the business world like a meteor hitting a pond, creating a new plethora of challenges that incorporated into MBA curriculum for years to come. Read Now

  • First Responders Give NIST Their Communications Tech Wish Lists

    First Responders Give NIST Their Communications Tech Wish Lists

    Our first responders have spoken. An extensive research project conducted by experts at the National Institute of Standards and Technology (NIST) reveals what our country’s police, fire, emergency medical and 911 dispatch responders think about the communications technology they use on a regular basis and how they would like developers to improve it in the future. Read Now

Featured Cybersecurity

New Products

  • Tyco Kantech EntraPass security management software

    Tyco Kantech EntraPass security management software

    Johnson Controls, the global leader in smart, healthy and sustainable buildings, and architect of the Open Blue digital connected platforms, has released the newest version of the Tyco Kantech EntraPass security management software. 3

  • LiftMaster Garage Door Opener

    LiftMaster Garage Door Opener

    LiftMaster Transforms the Garage Door Opener Into a Sleek Smart Home Device That Does More Than Open and Close the Garage Door 3

  • Schlage RC reader controller

    Schlage RC Reader Controller

    This new innovative device combines the power of the Pure IP™ access control technology pioneered by ISONAS with Schlage’s intelligent hardware and credentials, delivering a comprehensive and cost-effective perimeter solution to customers. 3