The UK's Information Commissioner's Office (ICO) has just levied a record-setting £183.39 million against British Airways for a 2018 data breach.
They've followed this up with another breath-takingly huge fine: The proposed £99.2 million fine is against hotel group Marriott International's November 2018 hack, which exposed data from 339 million customers globally.
The two fines are just the latest development in Europe's General Data Protection Regulation (GDPR), and it's a sobering one for anyone working in cybersecurity at a major company.
These record fines prove that the GDPR's bite is indeed as bad as its bark. Below, we explain all you need to know about how BA and Marriott fell afoul of the regulations.
What Has British Airways Been Fined For?
The fine, which comes to around $229.54 million in US dollars, is the result of British Airways' violation of the EU's General Data Protection Regulation (GDPR), which came into effect on 25 May 2018.
BA's data breach incident apparently started in June 2018. Traffic on the British Airways website was rerouted to a fraud website designed by scammers to harvest customer data.
The data of around 500,000 British Airways customers was compromised. British Airways reported the event to the ICO in September of 2018.
How about Marriott's Fine?
Marriott International's story is similar: The hack happened in November of 2018, well after GDPR was in effect, and it exposed personal data from 339 million customers, including credit card details, passport numbers and dates of birth.
The ICO has stated that 30 million of the affected customers live in the European Economic Area, and 7 million are UK residents. The core issue, according to the ICO's investigation, stemmed from the Starwood hotels group, which Marriott acquired in 2014 but apparently failed to properly inspect it's IT systems. These compromised systems led to the data breach.
What is the GDPR?
Self-described as “most important change in data privacy regulation in 20 years,” the GDPR is an EU regulation designed to revamp data privacy rules in an age when web users are just starting to be aware of how deeply their privacy has been compromised by data-hungry tech giants.
Among other laws, the GDPR establishes a handful of stipulations guiding the type of data companies can hold on their customers, as well as a the length of time that they can hold it, whom they share it with, and how the data is processed.
Under the GDPR rules, companies found in breach of the regulations may be fined €20 million, or 4% of annual global turnover – whichever is higher. Looking at it this way, British Airways got off lightly: it could have faced a fine as high as £500 million.
Since GDPR has only been in effect since May 2018, this is among the earliest examples of a huge fine hitting a major company for data privacy violations. The British Airways case allows ICO to prove it aims to properly enforce its law rather than establish a toothless regulation.
Is the British Airways GDPR Fine Normal?
Is such a large a fine the “new normal” in this post-GDPR world? The short answer is that we don't have enough data to say for sure. Since GPDR is relatively new, we haven't had a chance to establish a baseline comparison for just how heavy a penalty £183.39 million is.
Under the previous EU law, the Data Protection Act 1998, the maximum fine was a comparatively forgiving £500,000. So, by that definition of “normal”, this new fine is about 366 times bigger.
Most recently, Facebook's Cambridge Analytica data scandal earned that maximum £500,000 fine from the ICO. Would Facebook have tightened its data standards more quickly if it risked a penalty many hundreds of times larger? One would hope.
If anything, the BA fine sets a new standard in data breach values. Fining a company $229 million for exposing the data of 500,000 customers works out to about $457 per customer. Using this logic, the 143 million people affected by the Equifax breach could have resulted in a $65.35 billion fine according to one calculation.
Still, we've seen larger fines in the past, if not under GDPR. Earlier this year, the European Commission gave Google a whopping $1.7 billion fine for breaching EU antitrust rules.
What Happens Next?
Just as Google has consistently appealed its EU fines, British Airways plans to appeal this one. It has a 28-day window to do so.
“We intend to take all appropriate steps to defend the airline's position vigorously, including making any necessary appeals,” Willie Walsh, chief executive of IAG, told the BBC.
Alex Cruz, British Airways' chairman and chief executive, further added that the company was “surprised and disappointed” by the ICO's finding, saying “British Airways responded quickly to a criminal act to steal customers' data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologise to our customers for any inconvenience this event caused.”
Marriott, too, is planning to appeal.
Whatever else happens, this incident should spur cybersecurity experts to leave nothing to chance when it comes to securing the data of their customers. For those that fall short of the standards of the GDPR, a six-figure fine might not be far away.
Read more of the latest cybersecurity news on Tech.co