The UK Data Protection Authority abbreviated lCO struck hard by fining two British Airways (204) million euros.
It must be admitted that for its first real case of "data breach" since the implementation of the GDPR, it intends to impose itself. The amount of the fine is undoubtedly in a deterfy, but could lead to other consequences. Indeed, companies may have to report less and less incidents of this kind, in order to avoid the blow of such sanctions.
This article will also interest you: Active Insurance fined 180,000 euros by the CNIL.
The case dates back to September 2018, British Airways had notified the UK Data Protection Authority of a security issue, in accordance with Article 33 of the GDPR which states that in the event of a breach of personal data, the person in charge of the processing is obliged to notify the relevant breach of the relevant supervisory authority, the ICO.
In this case, the airline British Airways, has been diverted from internet traffic destined for the company's official to a fake site. More than five hundred miles (500,000) customers were victims of this fraud, which allowed the Pirates to stealing a lot of data, such as data on the connection, information about the various transactions of customers (to the cards payment, travel bookings) as well as personal information such as (names and addresses.) It's from the distinguished classic (phishing). The heaviness of the fine was probably due to the fact that a such a classic technique can confuse the whole system with such a big company. The opportunity to question possible negligence would be to probably putting it.
To justify this colossal fine, Elizabeth Denham, head of the UK regulatory authority, said: "The people's personal data is just that – personal data. When an organism fails to protect it from loss, damage or theft is more than a drawback. That's why the law It is clear: when you are entrusted with personal data, you need to To take care. Those who do not will have to be examined carefully on the part of my office to verify that they have taken the steps to protect fundamental privacy rights."
The "data breach" is a concept that defines Article 4 of the GDPR as a breach of security a system that results in an accidental or illicit, partial or destruction, loss, tampering, disclosure or unauthorized consultation of personal information that is either transmitted, retained or processed from another manner.
British Airways, of course, cooperated with the investigation and this has allowed it to improve its technical protection tools.
At the end of the investigation, carried out in cooperation with other authorities in the compliance of the new Article 60, the administrative authority has just informed us of its draft decision thus imposing an extremely high fine on British Airways of 204 million euros.
Now access an unlimited number of passwords: