The Information Commissioner (ICO) have announced their intention to fine British Airways £183.39M, following a cyber incident which resulted in the personal data of approximately 500,000 people being compromised.
Hang on a minute. Is it fair for BA to receive a hefty fine if they were the subject of a targeted cyberattack? Weren’t BA just a victim at the hands of professional hackers? Shouldn’t the authorities punish the cyber criminals, rather than BA?
Yes, of course the cyber criminals should be brought to justice BUT, BA have a legal obligation to ensure that they keep personal data secure. When the ICO conducted their investigation, they found that BA’s security arrangements in relation to personal data were poor and they did not comply with the General Data Protection Regulation (GDPR). This is the reason why the ICO are intending to fine BA.
£183.39M is a huge amount. A massive fine for a massive company but there is a lesson for all businesses here, because, no matter how large or small your organisation is, the same rules apply. The ICO are sending out a clear message. If your organisation suffers a cyberattack because your security of personal data is not good enough and you do not adhere to the strict requirements of the GDPR, you are likely to face formal action.