British Airways fined £20m over data breach

£50 a breach. Patheticly small amount.<p>IAG has £23 billion of revenue last year. Over the last 9 years their total profit was £10,000 million, partly driven from slashing IT costs.<p>A £1 billion fine wouldn&#x27;t massively hurt a company that&#x27;s made ten times that <i>in post tax profit</i> in the last decade, but it would cause companies to take information security more seriously.<p>This is the equivalent of someone on an average UK salary being fined £20.

Slightly off topic, are fines even the right approach to get better behavior? What incentive structure does they encourage?<p>I fear it encourages you to hide or down play an incident, if possible, when issues do happen. Instead you’d rather want to encourage transparency and some way to prove you’re following good practices and have a good track record. Maybe some incentives like car insurance companies claim to follow: better driving record, reduced insurance costs. (Not that I think car insurance is a successful&#x2F;good example.)<p>Failure cases (like data breaches and ransomware attacks) are certainly easier to measure though, so maybe this is the best we can hope for...

&gt; The fine is considerably smaller than the £183m that the ICO originally said it intended to issue back in 2019. &gt; It said &quot;the economic impact of Covid-19&quot; had been taken into account.<p>Why do I get the feeling, that if £183m would not have mattered much to the bottom line of BA back then and now that it does they get a discount.<p>Is there any other non-business analogy where you get a discount on a fine, because you hit rough times financially?

Does seem a very large reduction in the fine, even allowing for current pandemic issues.<p>Of course if BA had been more security conscious and actually checked their third party JavaScript files regularly, perhaps using <a href="https:&#x2F;&#x2F;ScriptScanner.com" rel="nofollow">https:&#x2F;&#x2F;ScriptScanner.com</a> ( full disclosure it&#x27;s my app), then they would have caught the hack a lot quicker.<p>This would have greatly reduced the fine and the distress caused to their customers having to cancel their cards.

There are other security problems with BA going on. I would not be supprised if you soon see more headlines about them.

I&#x27;ve been suggesting that fines should be proportional to the type of data they request and how much.<p>So the more you collect, the more you stand to lose in a data breach. That should do 2 things:<p>1) Encourage companies to do &quot;least data collection&quot; (a good thing)<p>2) Strengthen their security if they do any sort of non-trivial data collection