The European Union has tightened its laws in recent years over data protection online. The union has some of the strictest laws against data breaches of any country or group in the world, and it’s coming down hard on companies that fail to protect their consumers’ sensitive data. After hackers stole sensitive data from British Airways (BA) last September, the Information Commissioner’s Office (ICO) is charging the carrier with a £183.39 million ($230 million) fine. Officials hope that the massive fines will send a warning to other companies to take private user data seriously.
The British Airways Breach
Customers that booked flights on British Airways between August 21 and September 5 of 2018 may have had their information stolen by hackers, according to the airline. The airline revealed last fall that a cybersecurity breach compromised sensitive data like names, addresses, and financial information of customers. While specific customer information was kept safe—like travel dates and passport information—the airline initially suggested that those who fear they were impacted reset their bank and British Airways account information.
It was later determined that the breach impacted around 380,000 people around the world. The airline was quick to react to the breach and investigate the cause and source of the attack, but the ICO is still choosing to give a hefty fine to the company for failing to keep the data secure in the first place. Elizabeth Denham, the Information Commissioner behind the ICO of the European Union said in a statement, “People’s personal data is just that—personal. When an organization fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear—when you are entrusted with personal data you must look after it.”
The Record Fine
Up until now the ICO hasn’t given very big fines in retaliation for security breaches. For example, Cambridge Analytica faced just a £15,000 fine for its data crimes that were outed just over a year ago. Facebook, on the other hand, was faced with a £500,000 fine for the role it played in the same scandal. It may seem like a lot, but to global tech companies that deal with billions of dollars at a time, a few hundred thousand dollars (or equivalent) is simply spare change.
The ICO wanted to send a message with its fine to British Airways. The decision to fine the company a couple hundred million dollars sent a clear message to the rest of the tech industry: data protection is nothing to skimp on. British Airways plans to protest the fine in court, where the ICO said it will make a final decision. However, the intention behind increasing these fines was to tell any company that runs any form of web payment that they must make security a top priority if they wish to continue.
Europe also recently put the General Data Protection Regulation (GDPR) into place, which allows for greater fines for companies that do not prioritize data security on their websites. The ICO came up with the fine amount by looking at British Airways’ global turnover. The amount, which is roughly 1.5%, may not seem like much. However for many airlines it could represent the difference between profit and debt. If the situation were to have happened with WOW Air, for example, they may have called it quits much faster.