Illustrative Breaches
- Toyota
- Dealer Leader, LLC
- Cathay Pacific
- British Airways
- Spice Jet
- Albany International Airport
- EasyJet
- BancoEstado Embraer
- Aerostructures and Aircraft Division of Leonardo SpA
- Flight Centre Travel Group Ltd
- Mercedes
- AirIndia
- Audi
- Volkswagen
- Forward Air
- Navistar
Data breach of entities- maximum fines and damage
- EasyJet: On 19 May 2020, EasyJet, a British airline group, issued a notice reporting a cyber-security incident which exposed personal information of approximately 9 million customers. The company investigated and found that email address, travel details and credit card details of around 2,208 of customers were accessed. However, no passport details were exposed. The company has notified the National Cyber Security Centre and the ICO of the breach. It is also under the process of communicating the affected customers.
- British Airways: Despite all threats and scare-mongering about the potential size of fines, the first 12 months of the EU’s General Data Protection Regulation (GDPR) had relatively little in the way of punitive action. Fines issued by data protection firms across mainland Europe that related to data breaches had been in the tens or relatively low hundreds of thousands of euros and generally were in line with the kinds of finds companies were receiving under prior regulations. With a lot of money being spent on compliance efforts and seemingly light punishment for failure, there was a growing worry that GDPR might actually be something of a damp squib. That quickly changed after BA was fined a record £183 million [~$230 million], the highest data breach penalty to date and surpassing the $148 million Uber paid out in 2018. British Airways was fined by the UK’s data protection authority, the ICO, after the Magecart group used card skimming scripts to harvest the personal and payment data of up to 500,00 customers over a two-week period. The ICO said its investigation found “poor security arrangements at the company” led to the breach. The BA fine shows that the regulation does have real teeth and the data protection authorities aren’t afraid to exercises their powers. Given that the GDPR has been one of the main drivers for pushing security higher up the agenda with boards, this will give CSOs and privacy/compliance offers renewed impetus to strengthen their security programs further.
- Cathay pacific: Cathay pacific fined £500,000 penalty by the UK’s data watchdog .9.4 million customer data ( 111,578 of whom were from the UK.) was leaked upon failure to implement necessary technical and administrative and measures to ensure data security and breaching notification obligations.
- Spice Jet: SpiceJet has reportedly been affected by a data breach, exposing private information of more than 1.2 million passengers. A security researcher gained access to the information by brute-forcing the password to SpiceJet’s system. SpiceJet had left the information unencrypted in a database file, giving easy access to hackers. The data contained names, phone numbers, email addresses, date of birth and other flight information of the passengers.
Enforcements
Name | Fine | Authority |
Taxa 4×35 | EUR 1,60,000 | Danish Data Protection Authority |
British Airways | EUR 18,33,90,000 | Information Commissioner (ICO) |
Vueling Airlines | EUR 30,000 | Spanish Data Protection Authority |
LGS Handling Ltd | EUR 70,000 | Cyprian Data Protection Commissioner |
Louis Aviation Ltd | EUR 2,000 | Cyprian Data Protection Commissioner |
Kymen Vesi Oy | EUR 16,000 | Deputy Data Protection Ombudsma (Finland) |
Proleasing Motors SRL | EUR 15,000 | Romanian National Authority for the Supervision of Personal Data Processing |
Global Business Travel Spain SLU | EUR 5000 | Spanish Data Protection Authority |
British Airways | EUR 22,029,866 | The Information Commissioner’s Office (ICO) |
Air Europa Lineas Aereas, SA | EUR 600,000 | Spanish Data Protection Authority (AEPD) |
Vattenfall Europe Sales GmbH | EUR 900,000 | Data Protection Authority of Hamburg |
Rhodes Municipal Transport Company | EUR 8000 | Hellenic Data Protection Authority (HDPA) |
GESTIONES AUTO LOW COST S. L. | EUR 1000 | Spanish Data Protection Authority |
Atac s.p.a. | EUR 400,000 | Italian Data Protection Authority (Garante) |
Automecanica Jerez, S.L. | EUR 4,000 | Spanish Data Protection Authority |