[ad_1]
(blackdovfx / iStock / Getty Images Plus)
In a post-GDPR world, it seems like data regulation watchdogs finally have some bite to their bark.
In the past week, the Information Commissioner’s Office (ICO)—a security authority in the UK—announced it would fine British Airways and the Marriott hotel chain $229 million and $124 million, respectively, for data breaches that took place in 2018 and 2014.
These are not insignificant figures; British Airways could be paying 1.5 percent of its worldwide turnover in 2017 in fines, while Marriott could be paying approximately 0.6 percent of its annual revenue for 2018.
New powers given to watchdogs under the EU’s General Data Protection Regulation mean that companies are finally getting more than a slap on the wrist for massive security failures. For the worst offenses, a company could be made to pay 20 million euros, or 4 percent annual global turnover—whichever is greater.
In contrast, Facebook was fined a just £500,000—the maximum amount under the old regulations—for its involvement in the Cambridge Analytica scandal, which exposed the data of up to 87 million people worldwide.
We’re Not Mad, Just Disappointed
Nevertheless Facebook, British Airways, and Marriott all expressed the same sentiment in response to these fines: Disappointment.
In a statement, Marriott International’s President and CEO, Arne Sorenson, said: “We are disappointed with this notice of intent from the ICO, which we will contest…We deeply regret this incident happened. We take the privacy and security of guest information very seriously.”
BA’s chairman and chief executive Alex Cruz also said he was “surprised and disappointed” by the fine, saying that the company “found no evidence of fraud/fraudulent activity on accounts linked to the theft.” Willie Walsh, CEO of British Airways’ parent company IAG, said BA will “take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals.”
Simply put, these companies should not be “disappointed”; they should be better. British Airways’ website and app were made vulnerable by only 22 lines of code, according to security researchers at RiskIQ. A vulnerability in third-party Javascript code Modernizr meant that data was sent to a website not controlled by British Airways, where the hackers scooped up information on 500,000 customers.
BA had not updated Modernizr since 2012, which “suggests a more systemic issue of IT governance at BA,” Andrew Dwyer, a cybersecurity researcher at the University of Oxford tells Wired. “Effective monitoring would have picked up this quickly—not the three months it took BA.”
Marriott too should have been monitoring its security more effectively, as an in-depth investigation into the 2015 breach could have “isolate[d] hackers back in 2015” according to Andrei Barysevich, a researcher at security company Recorded Future, the Wall Street Journal reports. Instead, they remained in the system for three years, despite the resources of an international hotel chain.
As any good medical professional knows, prevention is easier, and cheaper, than a cure. Security is no different. Eerke Boiten, professor of cybersecurity at DeMontfort University, has said it is likely to cost companies like British Airways a few million to maintain technical solutions and pay the staff to implement them—almost 100 times cheaper than the fine the airline will have to pay.
There is, of course, the moral argument that no customer can take sufficient security precautions to protect themselves against hacks like these, and therefore it is the responsibility of the company to bear the burden. As PCMag’s Max Eddy wrote about the attack on Target that exposed 40 million credit and debit…
Source link
No Comment