Last September I woke up to the news British Airways (BA) had been hacked.
The hackers made off with up to 500,000 customer credit card details, email addresses and billing addresses.
BA’s spokesperson was on the news telling reporters how it wasn’t really BA’s fault, and that all BA customers should cancel their credit cards.
That’s right, a big company got hacked and its customers were the ones to suffer. Cancelling your cards can end up being a long, arduous process if you have regular payments set up on them, as most people do.
Now, after a thorough investigation BA is being fined a record £183.4 million. BA, of course, is appealing. From Reuters:
LONDON (Reuters) – British Airways-owner IAG (ICAG.L) is facing a record $230 million (183.4 million pounds) fine for the theft of data from 500,000 customers from its website last year under tough new data-protection rules policed by the UK’s Information Commissioner’s Office (ICO).
The ICO proposed a penalty of £183.4 million, or 1.5% of British Airways’ 2017 worldwide turnover, for the hack, which it said exposed poor security arrangements at the airline.
BA indicated that it planned to appeal against the fine, the product of European data protection rules, called GDPR, that came into force in 2018. They allow regulators to fine companies up to 4% of their global turnover for data-protection failures.
This fine is more than 360 times the largest fine for a data breach in UK history, which was the £500,000 fine issued to Facebook over the Cambridge Analytica scandal.
To put that into perspective, here is an infographic (courtesy of the BBC) on the size of the fine in relation to its peers.
The reason the fine is so big is because new GDPR rules allow it to be.
As the BBC says:
After all the proposed penalty is roughly 367 times as high as the previous record fine, the £500,000 imposed on Facebook over the Cambridge Analytica scandal.
The difference, of course, is that the law has changed between the two incidents, with the arrival of a new law mirroring Europe’s GDPR. This allows fines of up to 4% of annual turnover.
Now you might have expected the data regulator to be somewhat cautious at first in wielding this powerful new weapon but today’s news will send a shiver down the spine of anyone responsible for cyber security at a major corporation.
The message is clear – if you don’t treat your customers’ data with the utmost care expect severe punishment when things go wrong.
But my question is, where does the money go?
These fines don’t help anyone affected in any way whatsoever
It turns out that none of the fine is used to compensate victims of the hack – the ones who may have had money stolen from them.
The penalty is “divided up between European data authorities”. The part that goes to the UK is paid directly to the Treasury.
The BBC says, “It is up to individuals to claim money from BA, which provided no information on whether any compensation had been paid.”
And it also adds that “Under the regulations, authorities in the EU whose residents have been affected will also have the chance to comment on the ICO’s findings.”
So the government gets a nice, multi-million pound payout because BA customers have been hacked and possibly robbed.
Those victims aren’t entitled to compensation unless they take it up directly with BA, but they can “comment on the ICO’s findings”.
Well isn’t that great.
“Sorry you were robbed, but don’t worry we’re fining BA £183+ million, so that should make you feel better.”
“And will I see any of that money?”
“Of course not! It goes to the government. Why should you get any?”
Who are these fines really benefiting?
It’s all well and good holding companies to account for data breaches that affect their customers. But why should their customers care whatsoever, if they never get a share of that fine?
The hack has already happened. The victims have already been affected. The fine isn’t helping them if they don’t see any of the money.
To me, it all just seems like a cash-grab for the government, which they can spin into positive publicity – holding mega corporations to account and keeping the public protected.
It’s kind of a frustrating one, because these data breaches really do affect people’s lives and companies should be much more careful with their data.
But surely the punishment should fit the crime.
The money, or at least a big proportion of it should go directly to victims of the hack, and another big portion should be used to improve the hacked company’s security.
I can’t get my head around why the “European Data Authorities” should get… well, any of it.
How can data breaches be avoided? Well, that one’s easy
I’ve written about data breaches many times before, and the solution is always the same: decentralisation, aka blockchain.
From my article in December:
While being interviewed about the British Airways hack on Radio 4 last week, he stated: “You’ve got to assume that some of these things are going to get through.”
He admitted that even his organisation – the UK’s national cybersecurity centre, the very organisation tasked with preventing this kind of stuff – was still vulnerable to hacking.
And, although this kind of stuff doesn’t usually make the front pages, that doesn’t mean it isn’t a real threat.
In fact, when Mark Carney, the governor of the Bank of England, was asked what he believes are the biggest threats to the financial system, he stated cybersecurity.
“Because financial systems are so interconnected,” he said.
And that’s the key thing here: centralisation.
Organisations store millions – in fact billions – of user details on single, centralised databases.
Get into that database and you get everything, as we have seen time and time again.
The current solution is to make the walls on that database as strong as possible, and make the locks that keep the data in ever stronger and ever better.
What do hackers do? They simply pickpocket someone who has a key to this lock and they are in. Once they are in they can take it all. All the records, everything, in seconds.
The hackers may not even need to do anything too sophisticated to get that key. If someone has the means, and they really want in, they will get in.
If they lock is too strong, they will simply use “social engineering” to get a key from someone who already has one.
“Social engineering” is a term hackers use for playing the person not the system. Phishing attacks, like the one I wrote about in October (The anatomy of a near-perfect internet scam – which you’ve likely been targeted by) are an example of this.
What is the solution?
So, if the problem is centralisation then the solution must be… decentralisation.
Instead of storing all this data on a single, centralised database, bits of it can be stored on a blockchain.
This means there is no central database to hack. But we can do much better than that. We can make it so there isn’t even any data to hack. Here’s how it works.
One of the key developments in blockchain is zero-knowledge proofs.
These basically let you prove you have certain data without ever showing anyone that data.
So, say you want to prove you’re allowed to leave the country to British Airways, but you don’t want it to have your passport details on file, in case BA gets hacked again.
Instead of giving BA your passport details, you give proof that you own your passport and are able to fly.
Without giving your actual passport details, this may sound impossible, but it’s not.
Or say you ring a call centre to transfer money between your bank accounts.
Instead of giving the call operator your name, address, account number, etc, you just give them proof you have all of that information, but you never give them any of the information itself.
If the call operator is looking to steal your money or sell your information on, they can’t. They don’t actually have any information on you.
This proof all happens automatically, you don’t have to do anything. You just log in to your identity dApp (decentralised app).
This means you can prove your identity to any company without ever giving them any information about yourself.
If they get hacked, it doesn’t matter. They don’t actually have any of your personal information, just a line of computer code that proved you are who you say you are. The hacker can’t use it for anything.
As I said, it sounds like magic, but it’s actually very simple.
If you want to find out how zero-knowledge works, you can read the rest of that article here.
And if you want to find out how to get started investing in blockchain, I can highly recommend following this link.
Until next time,
Editor, Exponential Investor