10 Jul, 2019

Record penalty for personal data breach: £183.39 million

According to the news on the ICO's own website; UK-based airline British Airways is facing a record fine. The office has notified the London Stock Exchange that it is seeking a full £183.39 million fine for the company. This amount corresponds to 1.5 percent of the company's annual turnover.

The reason for the penalty in question is; The security breach incident that British Airways first reported to the ICO on September 6, 2018. The company had the personal and financial information of 380 thousand customers stolen through its website and phone application. The ICO believed that the security breach started in June 2018 and that the company had its customers' information stolen due to poor security measures. This belief will be confirmed, and the reason for the penalty is that the company did not take adequate security measures to protect the information of its customers.

The penalty is not yet finalized. The company has a 28-day appeal period for the said penalty. However, even if the punishment is not certain at the moment, it is a fact that it has caused a great shock all over the world. Because the highest penalty ever given by the ICO belongs to Facebook with 500 thousand pounds.

In the incident known as the Cambridge Analytica scandal, Facebook illegally shared the personal data of 50 million users worldwide with 3rd parties, and was fined 500 thousand pounds by the ICO because at least 1 million of them were British citizens.

Until 25 May 2018, the maximum penalty that can be imposed within the scope of personal data breach in Europe was determined as 500 thousand pounds. With the new GDPR coming into effect on this date, fines for companies that do not comply with personal data protection requirements can be up to 4% of the company's annual turnover or 20 million Euros (whichever is greater). In other words, it can be said that the penalty offered for British Airways, equivalent to 1.5% of its turnover, is well below the maximum level.

However, there is one circumstance that may be more important than the penalties imposed. The £500,000 fine for a multi-billion dollar company like Facebook could be thought of as a drop of water in the ocean. However, the company lost approximately $ 50 billion in value after the penalty. When we add user trust to this, the figure gets even bigger. This is an indication that the importance of personal data security cannot be measured only with the penalties imposed.

With the last decision of the ICO, the importance of personal data security has been understood with a shock effect all over the world. We see this when we look at the recent penalties under the Personal Data Protection Law (KVKK), which was enacted in our country in 2016 and is considered the equivalent of GDPR in Europe. The Board has issued three consecutive fines, a total of 1.650.000 TL for Facebook, a total of 1.450.000 TL for Marriot International and a total of 550,000 TL for Cathay Pacific, for not taking adequate security measures and causing the personal data of its customers to be seized unlawfully.

We would like to remind you that every organization that processes personal data has an obligation to fulfill its obligations under KVKK. You can contact us for all your questions and needs, and you can benefit from our end-to-end services that combine 3 disciplines (Cyber ​​security-Law-Governance) within the scope of KVKK.


To request a quotation for the following: Cyber Security, Digital Transformation, MSSP, Penetration Testing, KVKK, GDPR, ISO 27001 and ISO 27701, please click here.

About Content:
Share on Social Media:
Facebook
Twitter
LinkedIn
Telegram