(SDN) — THERE is a lesson that can be learned from the situation the British Airways (BA) is in right now.
The situation being referred to is the hefty fine/penalty the BA is facing, to the tune of £183 million being imposed by the United Kingdom’s (UK) Information Commissioner Office (ICO).
It is an implementation of the European Union’s (EU) highly-stringent General Data Protection Regulation (GDPR).
Various news reports on Monday, July 8, cited the penalty the BA is facing from the ICO owing to “last year’s breach of its security systems.”
The BBC (British Broadcasting Corp. quoted the ICO as saying that the hacking incident occurred after users of BA’s website were led to a bogus site.
“Through this false site, details of about 500,000 customers were harvested by the attackers,” the ICO recalled.
Elizabeth Denham, the information commissioner, noted the importance of keeping personal information secure.
“People’s personal data is just that — personal. When an organization fails to protect it from loss, damage or theft, it is more than an inconvenience.
“That’s why the law is clear — when you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from my office to check if they have taken appropriate steps to protect the fundamental privacy rights,” she emphasized in the BBC report.
Security vendors took notice of the hefty fine, like one from Principal Security Strategist Tim Mackey at Synopsys Software Integrity Group.
Image source: Courtesy of Pixabay.
He said the ICO fine on BA is “a large fine.”
Here is the full comment from Mackey sent to SDN — Science and Digital News.
“The fine of £183 million by the ICO on British Airways under GDPR for the breach experienced by BA may represent a large fine, but with it comes a cautionary tale.
“Under GDPR, fines for breaches can reach 4% of the global revenue of an organization. In the case of this fine, the ICO imposed a fine of 1.5% of 2017 revenue.
“In doing so the ICO joins CNIL with its fine on Google of 50 million Euro in stating that data privacy is serious business requiring serious attention.
“This then requires organizations to review precisely what their security procedures are – from development through deployment – and ensure that they can quantify the risks of any decisions to defer security improvements.
“These efforts range from secure development practices, up to date threat models, identification of dependency risks all the way through to penetration tests and comprehensive security audits. Of course, none of these measures bear fruit until the results are remediated, and the recent U.S. Senate report on the Equifax breach shows just how important (the) process is to breach management.”
It can be recalled the European Union (EU) through the European Parliament adopted the GDPR in April 2016 in lieu of its long-time Data Protection Directive introduced in 1995.
The GDPR, which took effect on May 25, 2018 is a framework and the primary law that regulates how companies protect the personal data of EU citizens.
Organizations that keeps personal data even if they do not operate in any of the 28 EU member-States are subject to comply with the GDPR even if just one EU citizen is impacted.
The GDPR, from Wikipedia, is a regulation in EU law on data protection and privacy for all individual citizens of the EU and the European Economic Area (EEA). (SDN/EKU)