GDPR Means Business - British Airways Penalized

“Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities.

GDPR means business. Proof? British Airways is currently facing a record fine of £183 million (~$221 million US) over last year's major data breach that affected more than 500,000 customers. This ruling is significant for a number of reasons:

• This penalty is the first one to be made public since GDPR rules were introduced making it mandatory to report data security breaches to the information commissioner.
• It is the most expensive penalty, per victim, imposed by the EU, crushing the £500,000 (~$604K US) fine leveled against Facebook in 2018 by standards established in the Data Protection Act of 1998.

This second point is quite significant when you look at the figures. British Airways had 500,000 customers affected with an incurred penalty of £183 million (£366/victim), whereas Facebook was penalized £500,000 for affecting as many as 87 million users (£.006/victim) for the Cambridge Analytica scandal. All of this is due to the heightened awareness regarding data privacy and the new laws in governing its protection. The penalties are not meant to incapacitate companies financially. They are based upon the organization's annual global turnover and can be levied up to 4% of that figure. This is the initial established guideline that aims at trying to create penalties that are large enough to become a deterrent and encourage companies to behave responsibly, without crippling them in the short term. Subsequent to this first levied fine, it is apparent that the authorities mean business. It is likely that we will see more judgements being made public to further spread the word. Data protection and privacy have become critical components in modern business affairs, and organizations must begin addressing these concerns to protect their customers and make every effort to avoid security breaches, or suffer the consequences.