It's all gone to shit

The upside to 'methodical'

In 2018, British Airways experienced a data breach that affected personal and credit card details for more than 400,000 customers. Now, the UK's Information Commissioner's Office has fined the airline £20M for that breach. This is substantially less than the £183M fine that it originally announced in July 2019, after taking into account the economic impact of Covid-19.

According to the BBC's report:

Data protection officer Carl Gottlieb said that in the current climate, £20m was a "massive" fine. "It shows the ICO means business and is not letting struggling companies off the hook for their data protection failures," he said.

BBC News droid

But, if the ICO had acted last year, when it stated its original intention, BA could have been looking at a far more thought-provoking fine. Fortunately for them, COVID-19 and the ICO's lack of urgency methodical working combined to let them off the hook.

The lag between incident and fine has raised eyebrows in privacy circles but I understand the Information Commissioner's Office has been working methodically to get it right. This is the commissioner's first major fine under the EU data regulation GDPR and was being watched closely by the rest of Europe as a potential landmark decision.

Joe Tidy, cyber reporter, BBC News

I would feel bad for BA if this weren't a self-inflicted injury, since available security measures had not been implemented on their platform; if they hadn't treated their staff so disgracefully; and if they still offered excellent service.

BA used to be a premium carrier, one that I was proud to fly. But it's been run into the ground, and now is to be avoided, unless absolutely necessary.

Admittedly, the airline industry has been in long decline over recent years, but BA's gouging is offensive. For short-haul flights, I would prefer that they offered no inflight catering, rather than selling M&S products at inflated prices; it's cheaper to buy the same food and drinks at M&S's own store at Heathrow Airport—hardly a bastion of cost consciousness—than on the flight itself. And I can't believe that the airline buys it at store retail prices in the first place. This is insulting, so screw 'em.

Still, £20M is a fair chunk of change. I wonder if it'll be used to compensate those 400,000 customers?…(thinking)…Nah!

Lest you think that I'm being overly cynical about the distribution of the fine: The penalty is divided up between the other European data authorities, while the money that comes to the ICO goes directly to the Treasury. Government noses in the trough, and the real victims get nothing, as per usual.