25 comments

[ 2.2 ms ] story [ 64.5 ms ] thread
(comment deleted)
£50 a breach. Patheticly small amount.

IAG has £23 billion of revenue last year. Over the last 9 years their total profit was £10,000 million, partly driven from slashing IT costs.

A £1 billion fine wouldn't massively hurt a company that's made ten times that in post tax profit in the last decade, but it would cause companies to take information security more seriously.

This is the equivalent of someone on an average UK salary being fined £20.

the ICO is toothless by design
The ICO has quite a bit of power, they're just run incompetently.

I don't think there's a single person in the realm of data protection (or information rights in general, as the ICO is the regulator for Freedom of Information laws and Environmental Information Regulations as well) who thinks Denham has done a good job.

I wonder why they've done so badly - clearly there's likely to be some level of political pressure at play, but the ICO is independent and can and should stand up to that as just part of the job.

I've never felt any regulatory body really had the technical skills to deliver anything it was meant to do - I really wonder if there are too many public policy and junior lawyers in the ICO, and not enough deep technical experts who can rapidly investigate, fact find, and recommend prosecution or sanctions.

> The fine is considerably smaller than the £183m that the ICO originally said it intended to issue back in 2019. > It said "the economic impact of Covid-19" had been taken into account.

Why do I get the feeling, that if £183m would not have mattered much to the bottom line of BA back then and now that it does they get a discount.

Is there any other non-business analogy where you get a discount on a fine, because you hit rough times financially?

In Norway you get fined for driving under influence proportional to your income, typically 1.5 times your monthly income before taxes.
What if you’re a billionaire but lost money in the last fiscal year?
Above a certain income level, being fined 1.5 months of your income is mearly a blip on the radar.

Plus most of the super rich actually have quite a small personal income, their wealth is from ownership of companies. There's a high chance you earned more than Bezos last year [0].

[0] https://edition.cnn.com/2019/04/11/tech/jeff-bezos-pay/index...

> Is there any other non-business analogy where you get a discount on a fine, because you hit rough times financially?

Yes I think judges routinely take ability to pay into account when considering punishment in criminal cases.

In Denmark you can apply to get a fine halved if you earn less than $2250 monthly.
I wrongly assumed this was common practice, but it seems that it really is mostly in Scandinavian countries that criminal fines in general are issued in units, with each unit amount is based on the receivers income: https://en.wikipedia.org/wiki/Day-fine
France, Germany, Romania, Switzerland and Macao are all not Scandinavian. The German Wikipedia is missing most from this list but also includes Austria and Liechtenstein.

But I thought it was more common as well, as it seems pretty fair.

Does seem a very large reduction in the fine, even allowing for current pandemic issues.

Of course if BA had been more security conscious and actually checked their third party JavaScript files regularly, perhaps using https://ScriptScanner.com ( full disclosure it's my app), then they would have caught the hack a lot quicker.

This would have greatly reduced the fine and the distress caused to their customers having to cancel their cards.

(comment deleted)
> checked their third party JavaScript files regularly

Or used subresource integrity to prevent any unauthorized JS from loading. Or just not loaded third-party JS on the checkout page to begin with.

Agreed.

Very poor form for a company of BA's size to have third party JavaScript on the checkout page

As far as anyone's been able to tell, I think the third party JavaScript files were hosted on the same BA server as the website itself, so subresource integrity wouldn't help - the hacker could just change the tags loading the JS so that the integrity checks passed.
If this is true then they should’ve moved JS to a CDN or something and used SRI.
> if BA had been more security conscious and actually checked their third party JavaScript files regularly

Or not stored credit-card details in plain text.

I've been suggesting that fines should be proportional to the type of data they request and how much.

So the more you collect, the more you stand to lose in a data breach. That should do 2 things:

1) Encourage companies to do "least data collection" (a good thing)

2) Strengthen their security if they do any sort of non-trivial data collection

There are other security problems with BA going on. I would not be supprised if you soon see more headlines about them.
Slightly off topic, are fines even the right approach to get better behavior? What incentive structure does they encourage?

I fear it encourages you to hide or down play an incident, if possible, when issues do happen. Instead you’d rather want to encourage transparency and some way to prove you’re following good practices and have a good track record. Maybe some incentives like car insurance companies claim to follow: better driving record, reduced insurance costs. (Not that I think car insurance is a successful/good example.)

Failure cases (like data breaches and ransomware attacks) are certainly easier to measure though, so maybe this is the best we can hope for...

They should put them into special measures like a failing school. And BA should be forced (at their own expense) to have regular detailed audits of their information security which are published and scrutinised by the ICO. Maybe for at least two years. Of course one would need to find competent and able auditors and ICO employees to fulfil this.