[Updated] 2018 data breach : BA fined £20 million
Jul 8, 2019, 11:55 am
#121
Join Date: Jun 2009
Location: UK
Programs: Lemonia. Best Greek ever.
Posts: 2,274
Peter01,
that is a very good point. And their service was excellent.
Turning to IT, it must, MUST appear to corporates that a well funded, well managed IT function, with good Internal management, is so much better than the drivel that corporates put up for outsourcing.
They can write the code in India, or Vietnam, but they MUST run the risks from the UK/USA.
that is a very good point. And their service was excellent.
Turning to IT, it must, MUST appear to corporates that a well funded, well managed IT function, with good Internal management, is so much better than the drivel that corporates put up for outsourcing.
They can write the code in India, or Vietnam, but they MUST run the risks from the UK/USA.
Jul 8, 2019, 11:58 am
#122
Join Date: Jun 2009
Location: UK
Programs: Lemonia. Best Greek ever.
Posts: 2,274
Years ago, I worked with a brilliant Engineer who properly costed outsourcing. Fully and properly. Including all the necessary and relevant/appropriate supervision. His costing was scary. He said do it all in the UK!!!
He was called daft. But he was correct for his projects.
He was called daft. But he was correct for his projects.
Jul 8, 2019, 3:40 pm
#123
Join Date: Sep 2014
Location: Brexile in ADB
Programs: BA, TK, HHonours, Le Club, Best Western Rewards
Posts: 7,067
Jul 8, 2019, 3:46 pm
#124
Moderator: British Airways Executive Club, Iberia Airlines, Airport Lounges and Environmentally Friendly Travel
Join Date: Jan 2003
Location: London, UK
Posts: 22,213
Jul 8, 2019, 3:59 pm
#125
Join Date: Sep 2010
Location: UK oop north
Programs: BMI Diamond Club RIP,BAEC Silver
Posts: 1,692
Then don't do Buisnes with them. They were targeted by a criminal act, suffered financial business damage as a result, and now they are being disproportionately fined. Consumer protection protects you from losing money when sellers make false claims. I suspect you suffered no damage at all except to your high horse?
Jul 8, 2019, 4:10 pm
#126
Join Date: Jul 2018
Posts: 1,281
In some senses it's the big-corporate equivalent to someone racking up a £375 fine at magistrate's court for speeding (where the maximum penalty is £1000, unless on a motorway). A whopping penalty, but not out of the ordinary.
Jul 8, 2019, 4:18 pm
#127
Join Date: Apr 2012
Location: LON
Programs: Mucci, BAEC, Eurostar
Posts: 3,293
And indeed, according to their last filings, to the tune of GBP 365m.
Last edited by alex67500; Jul 8, 2019 at 4:29 pm
Jul 8, 2019, 5:14 pm
#129
A FlyerTalk Posting Legend
Join Date: Aug 2006
Location: Argentina
Posts: 40,211
As I wasn't affected by this I've paid scant attention to it all.
However, if found guilty of a security breach through fault of their own then yes BA deserve to be fined and seen to put things right.
However, if found guilty of a security breach through fault of their own then yes BA deserve to be fined and seen to put things right.
Jul 8, 2019, 8:24 pm
#130
Join Date: Jan 2005
Location: Singapore - the hot, little red dot
Programs: BA, SQ
Posts: 861
I'm glad that the ICO have come down hardish on BA.
BA will moan that they've been made an example of and good on the ICO for showing that they are taking this all very seriously. How long before companies wise up and do something about it I'm not so sure. While GDP183m may appear large, in the overall scheme of things is it large enough to kick companies such as BA into action?
I think the ICO have left enough leeway in the fine so "if" BA have another breech they can increase the fine until they finally get the message.
I would hope that the larger GDPR fines will now work in a similar way to how companies are finally wising up to AML. It's only by making the penalties significant and the risk of personal liability too that have got everyone moving in the right direction for AML.
BA will moan that they've been made an example of and good on the ICO for showing that they are taking this all very seriously. How long before companies wise up and do something about it I'm not so sure. While GDP183m may appear large, in the overall scheme of things is it large enough to kick companies such as BA into action?
I think the ICO have left enough leeway in the fine so "if" BA have another breech they can increase the fine until they finally get the message.
I would hope that the larger GDPR fines will now work in a similar way to how companies are finally wising up to AML. It's only by making the penalties significant and the risk of personal liability too that have got everyone moving in the right direction for AML.
Jul 9, 2019, 2:05 am
#132
Join Date: Jan 2006
Programs: AAdvantage Asia Miles Air China
Posts: 870
It is all about cheap (well very expensive) accountants making cheap decisions that end up costing more than the original savings. Any form of Risk Assessment is ignored, dumbed down, or omitted altogether.
So common it is sad (Boeing anyone?), and all too prevelent across many industries now which cannot see beyond numbers on a spreadsheet to understanding the business being run, and airlines seem not to care. I got inconvenienced by both BA and CX, and before people think about shifting to *A, I had someone try a phishing attempt on me using Lufthansa. I reported it to them, the first time got ignored, tried again and told "not our concern" or words to that effect.
If the companies don't invest in protecting our data, they must be made to pay.
What gets me is BA saying "We did not find any evidence", well they could be telling the truth because you cannot find evidence if you do not look.
Much as I criticise Banks, when it comes to data protection it is one thing they try very hard to do right. I work with quite a few Banks.
So common it is sad (Boeing anyone?), and all too prevelent across many industries now which cannot see beyond numbers on a spreadsheet to understanding the business being run, and airlines seem not to care. I got inconvenienced by both BA and CX, and before people think about shifting to *A, I had someone try a phishing attempt on me using Lufthansa. I reported it to them, the first time got ignored, tried again and told "not our concern" or words to that effect.
If the companies don't invest in protecting our data, they must be made to pay.
What gets me is BA saying "We did not find any evidence", well they could be telling the truth because you cannot find evidence if you do not look.
Much as I criticise Banks, when it comes to data protection it is one thing they try very hard to do right. I work with quite a few Banks.
Jul 9, 2019, 2:32 am
#133
Join Date: May 2006
Location: 5 miles from EMA
Programs: BD, BAEC Pleb, VS Pleb, Accor Pleb, HHonors Gold, Big White Season Pass
Posts: 5,904
It is all about cheap (well very expensive) accountants making cheap decisions that end up costing more than the original savings. Any form of Risk Assessment is ignored, dumbed down, or omitted altogether.
So common it is sad (Boeing anyone?), and all too prevelent across many industries now which cannot see beyond numbers on a spreadsheet to understanding the business being run, and airlines seem not to care. I got inconvenienced by both BA and CX, and before people think about shifting to *A, I had someone try a phishing attempt on me using Lufthansa. I reported it to them, the first time got ignored, tried again and told "not our concern" or words to that effect.
If the companies don't invest in protecting our data, they must be made to pay.
What gets me is BA saying "We did not find any evidence", well they could be telling the truth because you cannot find evidence if you do not look.
Much as I criticise Banks, when it comes to data protection it is one thing they try very hard to do right. I work with quite a few Banks.
So common it is sad (Boeing anyone?), and all too prevelent across many industries now which cannot see beyond numbers on a spreadsheet to understanding the business being run, and airlines seem not to care. I got inconvenienced by both BA and CX, and before people think about shifting to *A, I had someone try a phishing attempt on me using Lufthansa. I reported it to them, the first time got ignored, tried again and told "not our concern" or words to that effect.
If the companies don't invest in protecting our data, they must be made to pay.
What gets me is BA saying "We did not find any evidence", well they could be telling the truth because you cannot find evidence if you do not look.
Much as I criticise Banks, when it comes to data protection it is one thing they try very hard to do right. I work with quite a few Banks.
Jul 9, 2019, 2:59 am
#134
Join Date: Sep 2013
Programs: BAEC Gold, EK Skywards (enhanced Blue !), Oman Air Sindbad Gold
Posts: 6,399
Although there is of a course a reasonable argument, as expressed by a number of posters upthread, that such ‘corporate fines’ are misplaced in as much as it is we the travelling public who will ultimately be made to pay, by one means or another.
This is also borne out by a couple of tweets just spotted (see below) ...... the first from AC by way of reaction to the fine, the second from a BA passenger.
Thinking of how I’m going to save £183 million this FY #Enhancements
#Fines
BREAKING: British Airways announce plans to introduce new optional fees for passengers who prefer their data to remain private AND secure
NB : for sake of clarification, I must add that these appeared not on BA’s official twitter page, but on the parody ‘Not Señor Alex Cruz’ feed.
All the same, perhaps not a million miles from reality ........
Jul 9, 2019, 2:59 am
#135
Ambassador, British Airways Executive Club, easyJet and Ryanair
Join Date: Sep 2011
Location: UK/Las Vegas
Programs: BA Gold (GGL/CCR)
Posts: 15,928
I posted a link to a very detailed technical report in the original data breach thread.
https://www.riskiq.com/blog/labs/mag...irways-breach/
From that, it would appear that the perpetrator needed direct access to a BA server to modify a JavaScript library. Unless, of course, they managed to get onto the BA server from outside the network - which would be an even bigger breach...
https://www.riskiq.com/blog/labs/mag...irways-breach/
From that, it would appear that the perpetrator needed direct access to a BA server to modify a JavaScript library. Unless, of course, they managed to get onto the BA server from outside the network - which would be an even bigger breach...