The hefty £183m fine imposed on British Airways for losing half a million customers’ personal data shows Europe’s new data protection law has teeth. And if you don’t take care, it will bite you.
BA is appealing against the fine – which amounts to 1.5 per cent of its annual turnover. But even if the appeal is successful, the fine is still likely to be far higher than those imposed before the General Data Protection Regulation (GDPR) came into force.
Over a two week period in August and September last year, hackers stole personal data belonging to 380,000 customers. And then the airline disclosed a second cyber security incident involving 185,000 people who had made bookings between late April and late July.
Both attacks were part of a wider malicious campaign thought to be orchestrated by Magecart – a shady organisation that also attacked Ticketmaster and Newegg.
The UK’s Information Commissioner’s Office (ICO) could have fined BA as much as £500m but due to BA’s cooperation and its introduction of new security measures, the penalty was lower. However, George Salmon, an analyst at stock market investment giant Hargreaves Lansdown, predicted that the fine would make a “pretty big dent” in the financial performance BA’s owner IAG.
Another high-profile victim to receive a hefty rap on the knuckles recently was hotel group Marriott Bonvoy. It was fined £99m when a breach of its booking systems led to the exposure of approximately 339 million guest records. In November 2018, the company said an unknown third-party had gained unauthorised access to a guest reservation system by exploiting an unpatched vulnerability dating back to 2014.
Gary Jowett from Computer & Network Consultants in Brighton, said: “Such hefty fines may hurt large businesses but much smaller fines could actually be far worse for small and medium size companies that don’t have the financial tools at their disposal to mitigate the consequences. That’s why all businesses have to ensure all aspects of IT security are watertight and take a holistic approach including regular staff refresher training to maintain high standards.”
To help keep standards high, it’s worthwhile attaining Cyber Essentials certification. It reassures customers and business partners that you take data protection seriously and because the UK government recommends it’s renewed annually, it gives you the annual discipline of checking your cyber defences.
However, getting certification can be daunting without outside help for some smaller companies.
There are different levels of certification to consider and you are required to establish a boundary of scope for your organisation’s cyber security. You also need to choose a bona fide accreditation body.
So it’s a good idea to get help from an independent IT consultant who will have broad experience of different companies.
Gary added: “Having strong IT security, which is regularly refreshed, is vital in a world where the threats are constantly changing. It’s as important as maintaining your fleet of vehicles, checking your office’s fire alarms and doing regular fire drills. You can be sure the penalty for compromising customers’ data could be significantly higher than other risks – both in terms of financial penalties and damage to your company’s reputation.”