[Updated] 2018 data breach : BA fined £20 million
Jul 9, 2019, 9:29 am
#151
Join Date: Oct 2006
Location: London
Programs: Many. Too many. I came here to cut them down. I failed.
Posts: 2,999
I'd equate it more like your home actually being a bank, but you left all the doors, windows and safes opened which contained my valuables.
Yeh, someone had to commit an offense to actually go inside and take it, but it was an eminently preventable theft.
Yeh, someone had to commit an offense to actually go inside and take it, but it was an eminently preventable theft.
Jul 9, 2019, 9:32 am
#152
FlyerTalk Evangelist
Join Date: Aug 2002
Location: London
Programs: Mucci. Nothing else matters.
Posts: 38,644
Isn't there an additional element to the burglary analogy? The new law places a legal obligation on the company to do what it can to prevent someone committing the criminal offence. It's obviously true that both BA and its customers were victims of crime. But the way that I see it, the ICO's approach may be more directed to whether and to what extent BA complied with its legal obligation to prevent the crime occurring.
Jul 9, 2019, 9:37 am
#153
Join Date: Sep 2013
Programs: BAEC Gold, EK Skywards (enhanced Blue !), Oman Air Sindbad Gold
Posts: 6,399
As a couple of folk posted earlier in the thread, we will most likely never to get to know the full story behind this breach. But we do know that BA fully intends to appeal, as allowed by this section of the official press release issued by the ICO : “The company will now have opportunity to make representations to the ICO as to the proposed findings and sanction”
Can anyone say whether the content of such ‘representations’ is made available for public consumption in these scenarios ? The GPDR legislation itself is still fairly new, is it not, so perhaps not too many precedents ? There was a major data breach involving TalkTalk a while back, IIRC.
Can anyone say whether the content of such ‘representations’ is made available for public consumption in these scenarios ? The GPDR legislation itself is still fairly new, is it not, so perhaps not too many precedents ? There was a major data breach involving TalkTalk a while back, IIRC.
Jul 9, 2019, 9:40 am
#154
Join Date: May 2019
Posts: 181
But did you go round your neighbours telling them they could store their stuff in your house and it would be perfectly safe?
Jul 9, 2019, 9:43 am
#155
Join Date: Jul 2010
Location: HEL
Programs: AY Platinum (OWE), SK G(*G), BW Diamond
Posts: 810
It is not a burglary at your house, your property being stolen, it is about your neighbor going out on a holiday and trusting you to keep their family jewels at your home as you have stated you have appropriate security measures in your house. Your neighbor trusts you and your assurance of how you protect your own assets as you have said it by yourself and you are a man/woman to trust. So, you continue keeping your doors and windows open, burglar comes and steals the jewels. Had the neighbor given you the jewels should he/she known what your "security measures" actually are?
It is unlikely that high sanctions are given for "trying but failing" but likely ICO has determined that BA has not even tried, or, not really followed industry best practices which, by nature of their business and scope of processed personal data, should have been followed instead of whatever way was chosen.
It will take time for people to understand that GDPR is really nothing more than a quality management framework. No airline would likely easily start using non-spec fuels or skip maintenances, but it will take time for (any) company or customer to understand that similar criteria are now becoming standard on data protection and in the end, likely something that will separate EU (in a good way) of those countries where one can not trust the quality of fuel, food etc.
It is unlikely that high sanctions are given for "trying but failing" but likely ICO has determined that BA has not even tried, or, not really followed industry best practices which, by nature of their business and scope of processed personal data, should have been followed instead of whatever way was chosen.
It will take time for people to understand that GDPR is really nothing more than a quality management framework. No airline would likely easily start using non-spec fuels or skip maintenances, but it will take time for (any) company or customer to understand that similar criteria are now becoming standard on data protection and in the end, likely something that will separate EU (in a good way) of those countries where one can not trust the quality of fuel, food etc.
Jul 9, 2019, 9:45 am
#156
Join Date: Jan 2016
Location: LON
Programs: BAEC
Posts: 3,919
The other thing to bear in mind, other than doing the right thing for themselves and their customers in terms of data security, the breach included credit card information which is governed by the PCI regulations and is a contractual commitment between the merchant (BA) and their acquiring bank that processes their card transactions. Irrespective of if people think BA were unlucky here (which they were not) they had committed to maintain the security of cardholder data to their bankers and they clearly failed.
Jul 9, 2019, 10:00 am
#157
Ambassador, British Airways Executive Club, easyJet and Ryanair
Join Date: Sep 2011
Location: UK/Las Vegas
Programs: BA Gold (GGL/CCR)
Posts: 15,932
As a couple of folk posted earlier in the thread, we will most likely never to get to know the full story behind this breach. But we do know that BA fully intends to appeal, as allowed by this section of the official press release issued by the ICO : “The company will now have opportunity to make representations to the ICO as to the proposed findings and sanction”...
Once the final decision has been promulgated, the ICO will likely publish its findings on its website together with the reasons for it. Only at that point might an appeal be considered.
Last edited by Tobias-UK; Jul 9, 2019 at 12:15 pm Reason: Fat fingers
Jul 9, 2019, 10:20 am
#159
Join Date: Jul 2019
Location: UK
Programs: BA Silver, IHG Platinum
Posts: 943
The fine seems reasonable to me.
BA may feel aggrieved and that they feel they've been made an example of, and there probably is some truth in that to be fair. GDPR however came in with plenty of publicity regarding the possible fines for failure to protect data. As they didn't protect it very well, this was inevitable.
The worst of this is BA's apparent nonchalance towards this breach and the resulting disruption many customers (including some very high spenders with BA) have suffered. I don't have status with BA, but if I'd been spending many thousands with them I would be very angry with their attitude towards this. It is clear lessons have not been learned so hopefully the fine focuses the mind. In the meantime, the personal details of many individuals have been compromised and fraud attempted; fraud that Amex appear to have pointed out well.before BA became aware of the breach, in some cases.
I know very little about BA's IT other than that their website is not very user-friendly (they are far from alone in this regard) but what I have read here does concern me. It seems their attitude had been very poor, and that taking the cheap option has, as it often does, become more expensive.
I thankfully haven't been affected by this breach, but the response to it sits really badly with me. It has lowered my confidence in BA.
BA may feel aggrieved and that they feel they've been made an example of, and there probably is some truth in that to be fair. GDPR however came in with plenty of publicity regarding the possible fines for failure to protect data. As they didn't protect it very well, this was inevitable.
The worst of this is BA's apparent nonchalance towards this breach and the resulting disruption many customers (including some very high spenders with BA) have suffered. I don't have status with BA, but if I'd been spending many thousands with them I would be very angry with their attitude towards this. It is clear lessons have not been learned so hopefully the fine focuses the mind. In the meantime, the personal details of many individuals have been compromised and fraud attempted; fraud that Amex appear to have pointed out well.before BA became aware of the breach, in some cases.
I know very little about BA's IT other than that their website is not very user-friendly (they are far from alone in this regard) but what I have read here does concern me. It seems their attitude had been very poor, and that taking the cheap option has, as it often does, become more expensive.
I thankfully haven't been affected by this breach, but the response to it sits really badly with me. It has lowered my confidence in BA.
Jul 9, 2019, 10:24 am
#160
Join Date: May 2006
Location: 5 miles from EMA
Programs: BD, BAEC Pleb, VS Pleb, Accor Pleb, HHonors Gold, Big White Season Pass
Posts: 5,908
Isn't there an additional element to the burglary analogy? The new law places a legal obligation on the company to do what it can to prevent someone committing the criminal offence. It's obviously true that both BA and its customers were victims of crime. But the way that I see it, the ICO's approach may be more directed to whether and to what extent BA complied with its legal obligation to prevent the crime occurring.
BA thoroughly deserve the kicking that they’re getting for this.
Jul 9, 2019, 12:49 pm
#161
Join Date: Feb 2009
Location: YYC
Programs: BA bronze, Aeroplan peon
Posts: 4,747
BA had a legal obligation to protect the information entrusted to them and they completely failed in their responsibilities. They were victims because of their lack of compliance with the law. Their comments still suggest that they are not taking their obligations seriously, so a fine is a excellent way to make them realize this is serious.
Jul 9, 2019, 1:00 pm
#162
FlyerTalk Evangelist
Join Date: Nov 2011
Location: Brighton. UK
Programs: BA Gold / VS /IHG Diamond & Ambassador
Posts: 14,205
the Marriott President is also trying the 'we were victims of crime' excuse.
Really don't think it's going to work - especially as the SPG breach went on for years and involved millions of people - 30 million europeans.
Really don't think it's going to work - especially as the SPG breach went on for years and involved millions of people - 30 million europeans.
Jul 9, 2019, 1:35 pm
#163
Join Date: May 2006
Location: 5 miles from EMA
Programs: BD, BAEC Pleb, VS Pleb, Accor Pleb, HHonors Gold, Big White Season Pass
Posts: 5,908
How utterly pathetic. Marriott are getting off lightly.
Jul 9, 2019, 2:07 pm
#164
Join Date: Aug 2012
Location: Provincie Antwerpen, Vlaanderen, België
Programs: MUCCI Gold
Posts: 2,512
Even zero-day exploits should be able to be quickly shutdown when a robust and well-resourced plan is in place.
Jul 9, 2019, 2:17 pm
#165
Join Date: Oct 2006
Location: UK
Programs: BA Blue, IC Spire Ambassador
Posts: 5,231
It is all about cheap (well very expensive) accountants making cheap decisions that end up costing more than the original savings. Any form of Risk Assessment is ignored, dumbed down, or omitted altogether.
So common it is sad (Boeing anyone?), and all too prevelent across many industries now which cannot see beyond numbers on a spreadsheet to understanding the business being run, and airlines seem not to care. I got inconvenienced by both BA and CX, and before people think about shifting to *A, I had someone try a phishing attempt on me using Lufthansa. I reported it to them, the first time got ignored, tried again and told "not our concern" or words to that effect.
If the companies don't invest in protecting our data, they must be made to pay.
What gets me is BA saying "We did not find any evidence", well they could be telling the truth because you cannot find evidence if you do not look.
Much as I criticise Banks, when it comes to data protection it is one thing they try very hard to do right. I work with quite a few Banks.
So common it is sad (Boeing anyone?), and all too prevelent across many industries now which cannot see beyond numbers on a spreadsheet to understanding the business being run, and airlines seem not to care. I got inconvenienced by both BA and CX, and before people think about shifting to *A, I had someone try a phishing attempt on me using Lufthansa. I reported it to them, the first time got ignored, tried again and told "not our concern" or words to that effect.
If the companies don't invest in protecting our data, they must be made to pay.
What gets me is BA saying "We did not find any evidence", well they could be telling the truth because you cannot find evidence if you do not look.
Much as I criticise Banks, when it comes to data protection it is one thing they try very hard to do right. I work with quite a few Banks.