Looks like GDPR is a thing after all - BA gets fined £183m
-
UK's Information Commissioner's Office fines BA 1.5% of its global turnover (the law allows for up to 4%) in a sign that they're taking the GDPR thang seriously.
This is 366 x the largest pre-GDPR fine (Facebook and Cambridge Analytica)
The leak was for 500,000 payment card numbers, expiry dates and CVVs, so pretty substantial.
-
Hmmm, seems a very harsh penalty for what appeared to be a supply chain attack (even if the article is mostly speculation and months old).
-
@skotl Fines are paid (indirectly) by shareholders and customers, not by the people who actually violated the law. Oh, and fines are a way to fund the government without "raising taxes." Only criminal prosecution, personal liability and jail time would actually work.
-
@JBert said in Looks like GDPR is a thing after all - BA gets fined £183m:
Hmmm, seems a very harsh penalty for what appeared to be a supply chain attack (even if the article is mostly speculation and months old).
That's exactly how regulation is supposed to work in capitalism though. You put the incentives at the beginning or end of the supply chain, and let them flow upwards or downwards through the Free Market™. You don't micromanage and decide how much punishment or reward each part gets.
Now all companies know that every third party service they trust could cost them £183m, and should be willing to spend as much vetting those services and securing the communication with them.
-
@lolwhat said in Looks like GDPR is a thing after all - BA gets fined £183m:
@skotl Fines are paid (indirectly) by shareholders and customers, not by the people who actually violated the law. Oh, and fines are a way to fund the government without "raising taxes." Only criminal prosecution, personal liability and jail time would actually work.
Technically, of course I agree with you, but I disagree about the impact of huge fines. These are intended to be warnings not only to the company involved but to all other companies, too.
A business that gets a £183m fine is probably going to fire those responsible, and has to somehow make the money back: projects get cancelled, department budgets get slashed, people are let go, etc. Not many businesses can afford to simply stump that cash up so there will absolutely be consequences for those directly and indirectly involved.And you know what? It makes it easier for people like me to go to our bosses and say "You can't just keep ignoring this or papering over the cracks - look at the fine that BA just got - do you want that to happen to us?", which has to be a good thing.
-
In related news, looks like the ICO is on a roll...
Chasing Marriott for £99m
-
From the Marriott article - a security geezer puts it better than I did:
"The draconian fines.. are a wake-up call to all organisations, big and small.
Although this may come as a blow to a company such as BA or Marriott, they are robust enough to weather the storm. A smaller organisation suffering a serious breach could find itself overwhelmed by any penalty which, when combined with the loss of consumer confidence and the associated reputational damage -with devastating consequences for its business."
-
@lolwhat said in Looks like GDPR is a thing after all - BA gets fined £183m:
@skotl Fines are paid (indirectly) by shareholders and customers, not by the people who actually violated the law. Oh, and fines are a way to fund the government without "raising taxes." Only criminal prosecution, personal liability and jail time would actually work.
Yes, and if then try to get to the people actually responsible... then you get bogged down for decades. This way is faster and more direct. And thus more effective.
-
@lolwhat said in Looks like GDPR is a thing after all - BA gets fined £183m:
shareholders
Are responsible for investing in crappy companies.
-
@lolwhat said in Looks like GDPR is a thing after all - BA gets fined £183m:
Fines are paid (indirectly) by shareholders and customers, not by the people who actually violated the law
Customers can choose a competitor. And the shareholders are responsible for investing in a badly run company and backing the directors who allowed the breach to happen.
I don't see the problem.
-
@skotl said in Looks like GDPR is a thing after all - BA gets fined £183m:
and has to somehow make the money back: projects get cancelled, department budgets get slashed, people are let go, etc.
Costs to customers are increased.
@skotl said in Looks like GDPR is a thing after all - BA gets fined £183m:
And you know what? It makes it easier for people like me to go to our bosses and say "You can't just keep ignoring this or papering over the cracks - look at the fine that BA just got - do you want that to happen to us?", which has to be a good thing.
This.
I work for a large ISP and after the 2015 Talk Talk breach happened £millions became available for security improvements that wasn't available before and it got taken as a higher priority by senior management.
-
@loopback0 said in Looks like GDPR is a thing after all - BA gets fined £183m:
I work for a large ISP
I hate you
-
@TimeBandit All available evidence suggests the feeling is mutual.
-
@skotl said in Looks like GDPR is a thing after all - BA gets fined £183m:
Not many businesses can afford to simply stump that cash up so there will absolutely be consequences for those directly and indirectly involved.
It's relative to global turnover: 1.5% (with 4% as max allowed by law) which will sting hard, but is unlikely to kill the company. It will still lead to consequences for the people who didn't take care… which is indeed the point.
-
@dkf said in Looks like GDPR is a thing after all - BA gets fined £183m:
It's relative to global turnover: 1.5% (with 4% as max allowed by law) which will sting hard, but is unlikely to kill the company.
Yes and no. In cut-throat markets with tiny margins and large turnovers, 4% of turnover might very well be more than the profit margin (I found this page with some data, if you want to see for yourself). So it's indeed probably not enough to kill the company (unless it is already in such a precarious situation that anything would kill it), but it's large enough to be unlikely to be ignored by management.
-
@remi said in Looks like GDPR is a thing after all - BA gets fined £183m:
it's large enough to be unlikely to be ignored by management
Yes. It can easily wipe out entirely the profits from several years in one go, since turnover is much larger than profit in most companies. There are a few companies which might be able to shrug such things off as a cost of doing business (academic publishing is a total racket!) but they're a tiny minority.
-
@dkf The page I found previously is fairly interesting. It's missing some information and I have no idea how reliable or up-to-date it is, but it seems to indicate that the financial sector, generally speaking, is operating on a 20% net margin or more, so they might be able to bear the brunt of a 4% hit without too much pain. But most consumer sectors (all the retail things, recreation...) are on less than 4% margin, so that would be a huge issue for them.
IAG seem to be working on a 5-6% net margin, so 1.5% means about a quarter of their margin is being wiped out.
Marriott (mentioned up-thread as facing a potential 100 millions fine) has apparently an overall turnover close to 20 billions, and a net margin closer to 10% (about 2 bn). 100m is closer to a drop of water for them, both in terms of revenue (0.5%) and margin (about 5%).
-
I'd rather gut and impale people that steal identities.
-
@xaade just make sure you don't accidentally pursue the wrong guy!
-
-
@xaade said in Looks like GDPR is a thing after all - BA gets fined £183m:
I'd rather gut and impale people that steal identities.
Errrr... what? Whose identity is it that I'm supposed to have stolen (and I don't understand the gut-and-impale bit either....)?
-
@skotl wants to punish the hackers/fraudsters more harshly, not the negligent companies that enable them.
-
@error :why_not_both.emoji:
-
@error
the problem is that companies are careless because the data loss doesn't cost them a dime while the entire burden of the crime is on normal consumers.