[Updated] 2018 data breach : BA fined £20 million
#91
Join Date: Oct 2012
Location: On the underground
Programs: BMI Dimond club, BA Executive Club
Posts: 462
I'd hate to be the CTO who more than likely did a presentation to the board about how much money they could save by outsourcing to India.
So far we've had the turn off and on at the data centre and this breach.
And all we got was a terrible website and apps.
So far we've had the turn off and on at the data centre and this breach.
And all we got was a terrible website and apps.
#94
Ambassador, British Airways Executive Club, easyJet and Ryanair
Join Date: Sep 2011
Location: UK/Las Vegas
Programs: BA Gold (GGL/CCR)
Posts: 15,926
It appears it was some sort of inside job (somebody got direct access to the server), so not much hacking involved. It was the time it took BA to notice that's the issue. And even when they did notice, their audit trail couldn't detect who had made the change. Assuming, of course, that the perpetrator hasn't actually been caught and it's not being reported.
That is a very bold assertion, the first I have heard of it. Where has that been reported?
#95
Join Date: Sep 2005
Location: Reading, UK
Programs: SK EBS / BA Silver / BMI Gold / KLM Silver
Posts: 93
Aside from the consequences of the breach, the ICO will be looking particularly at whether it feels BA took all reasonable precautions to protect consumer data both before the breach, during the incident, and after. Do I recall there was at least one report on this board of someone actually reporting the potential for a breach to BA and then continuing to find the hole open for quite some time? Was that ever confirmed? I'm sure there is plenty we don't know about this incident, but if BA continued to trade in knowledge of the potential hole in it's security, and if the ICO feels BA didn't do all it could to plug that hole whilst continuing to trade, the ICO will take a very dim view of it.
#96
FlyerTalk Evangelist
Join Date: Mar 2010
Location: JER
Programs: BA Gold/OWE, several MUCCI, and assorted Pensions!
Posts: 32,145
BTW, in case anyone has forgotten ... aside from the financial aspects, there’s a load of other personal information now floating around happily on the dark web. Just saying.
#97
Join Date: Oct 2017
Location: London
Programs: BA Gold / OW Emerald
Posts: 753
Aside from the consequences of the breach, the ICO will be looking particularly at whether it feels BA took all reasonable precautions to protect consumer data both before the breach, during the incident, and after. Do I recall there was at least one report on this board of someone actually reporting the potential for a breach to BA and then continuing to find the hole open for quite some time? Was that ever confirmed? I'm sure there is plenty we don't know about this incident, but if BA continued to trade in knowledge of the potential hole in it's security, and if the ICO feels BA didn't do all it could to plug that hole whilst continuing to trade, the ICO will take a very dim view of it.
#98
Join Date: Feb 2011
Posts: 5,797
I too wonder if anybody will ever be caught for this.
Obviously, if they are, they'll be sent to jail for a very long time and probably lose everything they own. You can't send a company to jail so a fine is the next best thing. BA deserve to pay every penny of that 183m. It's not like they weren't given ample warning of their lax IT systems.
Obviously, if they are, they'll be sent to jail for a very long time and probably lose everything they own. You can't send a company to jail so a fine is the next best thing. BA deserve to pay every penny of that 183m. It's not like they weren't given ample warning of their lax IT systems.
#99
FlyerTalk Evangelist
Join Date: Jun 2004
Location: LON, ACK, BOS..... (Not necessarily in that order)
Programs: **Mucci Diamond Hairbrush** - compared to that nothing else matters (+BA Bronze)
Posts: 15,128
???
Clearly any hackers if they could be found, would be arrested with criminal charges.
BA, as any company which handles financial data, has a responsibility to keep this data safe. Clearly they don't. This fine is simply a measure to apply this. To say this is unfair would be absurd - absurd would be random fines applied to companies.
I think it is just a shame that the fine wasn't higher as this will probably be negotiated down (quick and early payment, etc...).
Anyone thinking this is anti-BA, anti-capitalist, etc... would need to take a long look at themselves. They've clearly committed malpractice and for that there should be retributions. Their ability to self-govern and impose proper controls clearly has failed.
Clearly any hackers if they could be found, would be arrested with criminal charges.
BA, as any company which handles financial data, has a responsibility to keep this data safe. Clearly they don't. This fine is simply a measure to apply this. To say this is unfair would be absurd - absurd would be random fines applied to companies.
I think it is just a shame that the fine wasn't higher as this will probably be negotiated down (quick and early payment, etc...).
Anyone thinking this is anti-BA, anti-capitalist, etc... would need to take a long look at themselves. They've clearly committed malpractice and for that there should be retributions. Their ability to self-govern and impose proper controls clearly has failed.
#101
Join Date: Oct 2009
Location: Dundee
Programs: BA Plastic. HH Diamond. Speedwell Bar Lifetime Platinum.
Posts: 1,425
"We have found no evidence of fraud/fraudulent activity on accounts linked to the theft" is a comically mealy-mouthed statement in response to this and makes it seem like BA don't even understand the basic implications of what it means to hold someone's credit card details. Totally pathetic.
Comical Ali
#102
FlyerTalk Evangelist
Join Date: Nov 2011
Location: Brighton. UK
Programs: BA Gold / VS /IHG Diamond & Ambassador
Posts: 14,195
1. Deserves to be fined (well, to a sensible degree).
2. Serves it right for outsourcing things poorly.
3. However, the fine is too high IMO - none of the money goes to those breached, it goes in some other pot AFAIK.
4. There's likely to be a knock-on effect, because the company will have less money. I s'pose BA is no longer investing 6.5bn, eh? Maybe 6.3bn? Hmmm.
4. I worry about what this all means for the customer at the end of the day. And I don't think it's likely to be positive.
2. Serves it right for outsourcing things poorly.
3. However, the fine is too high IMO - none of the money goes to those breached, it goes in some other pot AFAIK.
4. There's likely to be a knock-on effect, because the company will have less money. I s'pose BA is no longer investing 6.5bn, eh? Maybe 6.3bn? Hmmm.
4. I worry about what this all means for the customer at the end of the day. And I don't think it's likely to be positive.
2. Agree. But there is nothing wrong per se with outsourcing IF it is properly managed with a robust contract and penalties
3. Correct. In the UK regulatory fines get paid into the Treasury and the consolidated fund. Other parts of the world have different rules on how regulatory fines can be used.
4. £183m out of £6.5b is a rounding error in a multi year capital programme.
5. Hopefully it means our personal data is held more securely by BA And that would be a positive outcome
#103
Join Date: Oct 2018
Location: London
Programs: BAEC blue dust
Posts: 271
Yep, that's what annoys me the most. That my CC details get compromised is one thing, but that's quickly resolved with a new card. I consider things like full name/ DoB/ address etc in the hands of people who shouldn't have them to be more of a problem. Especially with information seemingly getting collated - so add your mobile and email(s) to that and they have a lot of info.
#104
Ambassador, British Airways Executive Club, easyJet and Ryanair
Join Date: Sep 2011
Location: UK/Las Vegas
Programs: BA Gold (GGL/CCR)
Posts: 15,926
By way of clarification:
The ICO has power to fine up to £20M or up to 4.5% of turnover whichever is greatest meaning the maximum penalty BA faced was £549M.
Whilst that statement is correct, not all of that penalty will be kept by the UK. The penalty will be divided between other EU data authorities.It is only the UJ's portion that will end up at the Treasury.
1. the law has a maximum of £20M OR upto 4% of turnover so 1.5% is a huge reduction and with some proper contrition from BA could very well be reduced. If the legislators wanted there to be a different maximum they would have written it in to the rules or had a lower % limit but then other people would have said that the fine was too low. The ICO obviously felt that £20m wasn't enough of a fine. ..
Whilst that statement is correct, not all of that penalty will be kept by the UK. The penalty will be divided between other EU data authorities.It is only the UJ's portion that will end up at the Treasury.
#105
Join Date: Jan 2008
Posts: 3,839
I’m genuinely surprised by the strength of feeling on here that the fine is excessive. It’s less than 10% of one years profit!
Whilst it is perceived as a victimless crime, it isn’t, real hard money has been lost and BA is deemed partly responsible for this due to its inaction. I suspect if the customer actually had to bear the cost of the fraud in the first instance and seek recovery from BA (which effectively is what the card providers are doing) then views would change very quick.
As for the idea that this will just be added to the cost of flights, that assumes that BA are a price maker (you might want to get in touch with competition authorities re monopoly power if you have evidence to that effect) and even if they can pass on the cost, it’s still a really bad idea to reward such poor data management. Customers can always book with someone else after all.
Whilst it is perceived as a victimless crime, it isn’t, real hard money has been lost and BA is deemed partly responsible for this due to its inaction. I suspect if the customer actually had to bear the cost of the fraud in the first instance and seek recovery from BA (which effectively is what the card providers are doing) then views would change very quick.
As for the idea that this will just be added to the cost of flights, that assumes that BA are a price maker (you might want to get in touch with competition authorities re monopoly power if you have evidence to that effect) and even if they can pass on the cost, it’s still a really bad idea to reward such poor data management. Customers can always book with someone else after all.