This article originally appeared in CIO Dive on July , 2019.
- United Kingdom regulator Information Commissioner's Office (ICO) plans to fine British Airways a record $230 million (£183.39 million) following the airline's 2018 data breach, according to the ICO's notice of its intention.
- The General Data Protection Regulation (GDPR) infringement was a result of "poor security arrangements" by the airline, according to the ICO. As an investigation continues, British Airways has the "opportunity to make representations to the ICO as to the proposed findings and sanction."
- More than 500,000 customers were victims of British Airways data breach and compromised data included login, payment card, travel book details, names and addresses. British Airway's fine was in response to a data breach that routed users from the company's website to a fraudulent one. From there, "customer details were harvested by the attackers," according to the ICO.
More than one year into GDPR, the stakes keep getting higher.
Though British Airways cooperated with the ICO in the aftermath of the breach, it didn't insulate the company from penalties. The hefty fines highlight the significance of knowing where a company's data lives, whether in-house or in third parties.
"If there was any doubt that regulators would enforce GDPR, the ICO’s decision to hand down an unprecedented, if unexpectedly, stiff penalty will surely put that to rest," said Alex Calic, strategic technology partnerships officer for The Media Trust, in an emailed statement to CIO Dive.
Google was handed down the first "game changing" fine, $57 million, of the GDPR era. Regulators said the tech company failed to adequately communicate to consumers what data was collected, why it was processed, how long it was stored, and sufficiently obtain consent.
Before Google's fine, Facebook was billed upwards of $600,000 for its 2018 Cambridge Analytica scandal. The social network is also expecting to lose between $3 billion and $5 billion to fines from the Federal Trade Commission (FTC) in the U.S. in relation to the scandal.
While data privacy is an old conversation, regulating it has remained a challenge. GDPR has set the stage for expectations of responsible data management and the consequences for failing. The FTC has made strides in seeking further authority for reinforcing data privacy protections.