The record fine of £183,000,000 for a UK data breach signals a new era for the economics of information security.
The first fine issued by the UK’s Information Commissioners Office (ICO) under the GDPR regime is 367 times higher than the previous maximum fine levied against Facebook in the aftermath of the Cambridge Analytica scandal.
The fine relates to a breach of the British Airways website and mobile app which saw the payment card and personal details of over 380,000 people stolen during a 15 day period starting August 21st2018.
While BA has remained tight-lipped about how the breach happened, security research firm RiskIQ has published a detailed analysis which points the finger at the Magecart criminal gang. According to the researchers, the criminals were able to insert a modified version of a standard Javascript library containing just 22 additional lines of code which then skimmed the payment card details in a formjacking attack and sent the payment card and personal data to a server controlled by the criminals.
Alex Cruz, the chairman and CEO of British Airways, said he was “surprised and disappointed in this initial finding from the ICO. British Airways responded quickly to a criminal act to steal customers’ data.”
The response from BA’s CEO is revealing – his focus was not that a breach happened, but that he says the firm handled the management of the data breach well.
In contrast, Information Commissioner Elizabeth Denham said:
“…the law is clear – when you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
For many business leaders, it often looks cheaper to write a response plan to handle a data breach that they believe is unlikely to ever happen than it is to definitely spend a lot of money on equipment and staff to ensure a breach does not happen in the first place. The ICO’s comments make it clear that in the world of GDPR that cynical logic no longer holds true. With the scale of fines available under GDPR being up to 4% of global turnover, regulators appear keen to send a message to businesses that it is going to be much more economical to prevent a data breach than it is to clean up after one happens and face huge fines.
The half million pound fine issued to Facebook after the Cambridge Analytica scandal was seen by many as being so low as to not affect corporate behaviour in any way – it was merely a cost of doing business. In the wake of the BA fine, it is now becoming clear that for many businesses it will make much more commercial sense to invest in their information security and be able to clearly demonstrate that they did all they could to prevent a data breach.
Many Information Security managers may well find it easier to gain boardroom support for their request for budget as the implications of the new regulatory regime sink in.
