Earlier this week, the ICO (Information Commissioner’s Office), the UK’s data protection authority, announced that it would be fining British Airways £183.4 million (about €204 million) for a data breach that occurred last year.
The incident, which affected 500,000 customers, involved a sophisticated attack in which criminals diverted traffic from British Airways’ website to a bogus replica, which was used to siphon off personal details.
It’s by far the largest fine handed out for a data protection violation, beating the €50 million penalty levied against Google in February.
A day later, the ICO said it would be fining Marriott £99.2 million (about €110 million) for a historic data breach that was uncovered in 2018.
The scale of these fines stems from the disciplinary powers enshrined in the GDPR (General Data Protection Regulation). The Regulation gives supervisory authorities the power to issue fines of up to €20 million or 4% of an organisation’s annual global turnover.
This means that regulators finally have the wherewithal to deter organisations from neglecting security.
The days of proverbial slaps on the wrist – like the ICO’s largest pre-GDPR fine, a £500,000 (€565,000) penalty against Facebook – are in the past. Organisations now know that it’s more cost–effective to invest in security than to run the risk of penalties.
What went wrong at British Airways?
The data breach at British Airways was fairly standard as far as high-profile data breaches go. The organisation made two mistakes, the first of which was failing to detect system vulnerabilities, which enabled fraudsters to inject malicious code into the organisation’s website.
About half a million visitors were duped, handing over their login details, payment card information, address and travel booking information to the criminals.
That’s a serious error – one that a vulnerability scan or penetration test would have been able to prevent – but arguably more forgivable than the airline’s inability to properly assess the scale of the incident.
British Airways initially reported that the breach affected 350,000 people, but a month after disclosing the incident, it said financial data was also implicated and that another 100,000 customers were affected.
The airline was equally embarrassed when the ICO’s investigation found that the breach didn’t occur between August and September, as it had claimed, but that the vulnerability existed as early as June.
However, as egregious as these mistakes are, they don’t represent the kind of unprecedented information security failing that the size of the fine might suggest.
The truth is that, unfortunately, incidents like this occur regularly. The difference is that this is the first major data breach that has been investigated under the GDPR. A fine of this size therefore isn’t an aberration; it’s the start of a new norm.
That’s bad news for every organisation within the Regulation’s scope, but it’s particularly bad for multinationals that have a poor history when it comes to data protection. Organisations like, say, Facebook.
Facebook faces an even bigger fine
The same week as the ICO disclosed its British Airways fine, the European Court of Justice began hearing a case regarding the legality of Facebook’s data transfers between Europe and the US.
The case, which was brought to court by the Irish DPC (Data Protection Commission), concerns the use of SCCs (standard contractual clauses), which organisations use to move personal data out of the European Economic Area. Organisations are permitted to use these under the GDPR, but they must document how and why they are doing so.
If the European Court of Justice finds that Facebook violated the Regulation’s requirements, it could become the next organisation to receive a mammoth penalty. A fine on the same scale as that levied against British Airways (1.5% of the organisation’s annual global turnover) could see Facebook being hit with a penalty close to €1 billion.
We don’t imagine the fine, if there is one, will be anything close to this – the error was more akin to the Google incident earlier this year – but it shows how much the GDPR has raised the stakes for organisations that neglect information security and data privacy.
The European Court of Justice case is only the start of Facebook’s problems with the DPC. The supervisory authority is currently undertaking several investigations into the social media giant, with Commissioner Helen Dixon saying that the findings would be released this summer.
The investigations began with consumer complaints about the way Facebook processes personal data. Two more investigations were launched after it breached 500 million users’ passwords and uncovered a bug that gave third-party apps access to more of users’ photos than were disclosed in its policy.
The DPC is also investigating complaints about WhatsApp and Instagram, which are both owned by Facebook, as well as Twitter, Apple and LinkedIn.
If any of the organisations being investigated are found liable, Dixon said that a substantial fine “is the certainty rather than the likelihood”.
However, she added that financial penalties alone won’t prevent organisations from violating the GDPR’s requirements in the future. Organisations like Google are more likely to spend money fighting the ruling and trying to protect their reputation rather than invest in security practices.
“Companies are lawyering up and we’re typically dealing with more litigators and lawyers on the side of any inquiry that we conduct,” Dixon said.
“It does show the power that they have in terms of the size. But we have all the cards in terms of the powers to investigate, to compel and ultimately to conclude and make findings.”
Last chance for GDPR compliance?
After an understandably slow start to GDPR enforcement, disciplinary action is now in full swing. Although the headlines are dominated by incidents involving huge corporations, every organisation is at risk.
Many organisations have been neglecting their compliance requirements until now, due to the high cost of implementation and the uncertainty over how the Regulation would be enforced. Meanwhile, several commentators called it ‘the new Y2K’: a whole lot of fuss over nothing.
However, they neglected to consider that the reason Y2K amounted to nothing is because organisations around the world worked tirelessly to correct their systems to prevent disaster.
The same can only be true of the GDPR if organisations go to the same lengths. Regulators have now proved that they aren’t afraid to levy the Regulation’s strengthened disciplinary powers, so organisations must work quickly to address compliance gaps before they find themselves in supervisory authorities’ crosshairs.
Those who want advice on how to get started should download EU General Data Protection Regulation – A Compliance Guide.
This free green paper provides a comprehensive introduction to the Regulation’s requirements and explains the critical areas organisations need to be aware of when preparing for compliance.