The GDPR set the maximum penalty to 4% of turnover.

The BA penalty amounts to 1.5% of its worldwide turnover in 2017, less than the possible maximum.

the proposed penalty is roughly 367 times as high as the previous record fine, the £500,000 imposed on Facebook over the Cambridge Analytica scandal.

What the story is not saying is, how BA was guilty ... they loosely mention "poor security arrangements", but not exactly what BA did, or did not do.

I dread the day my server will be hacked ... I am ultra paranoiac, I am not storing "sensitive" information, doing everything to protect the server, the data, etc... but still, I know that one day or another I'll be hacked no matter what... I wish authorities would deploy as much resources to track hackers than they do to track companies which have been hacked ... (even if sometimes these companies are faulty of course)

@Dimitry

I know that one day or another I'll be hacked no matter what... I wish authorities would deploy as much resources to track hackers than they do to track companies which have been hacked ...

You hit the nail on the head with this statement.

For a company like BA or FB, hundreds of millions in fines is just the cost of doing business. The amount is unlikely to even cause a measurable change in the share price. But for small business the cost of compliance will likely exceed the 4% of turnover, and as you state, even then there is no guarantee that one wont get hacked.

So really who is this regulation helping? The big companies are not really concerned by it, and these are the companies that are putting the most data at risk. While the small companies pay the biggest price with the least data at risk, in most cases the risk negligible.

Yes, I was saying something more or less similar in this topic : [webmasterworld.com...]

I was also reading about the fines and where they go. If the fines were ringfenced and used specifically to chase down hackers, or even went to charity, or towards recompencing the affected individuals I'd be a lot happier.
Also, is this really proportional?
I have experience of a hack which took place a number of years ago, and I'm still getting plagued by theives claiming to be from the specific company. They have my details. The crazy thing is that the thieves seem to think that the old details are still current from five years ago.
It's part of life, i guess.

Call me a conspiracy theorist, but I am sure that countries like the USA, China, and Russia, have the technologies and resources to track down hackers. I don't believe that hackers are smarter than the intelligences of these countries...

By the way, I am off-topic, but this is bringing dark souvenirs of something I experienced in the 90's...

Here is an explanation of the BA breach from just after it was discovered: Inside the Magecart Breach of British Airways: How 22 Lines of Code Claimed 380,000 Victims [riskiq.com].

Basically an infected javascript library phoned home with customer PII. BA failed on at least two basic security counts:
* the cracked library was years out of date.
* the crackers managed access and write permission.

The attack was basically at a script kiddie level, this was not some sophisticated 1337 h4x0r sophisticated crack. Put simply BA was, in web payment security terms, grossly negligent. And, as we know from previous fines for egregious PII breaches over the years they were simply received as a cost of doing business. Making the cost hurt may just make the recipient as well as others treat security as as a necessary requirement and not a joke.

However, as BA has said they will appeal I expect the fine will be rolled back 'in the national interest' or similar and impetus for change will dissipate once again. That said: good on you, Elizabeth Denham (ICO Commissioner), good on you.

....

Call me a conspiracy theorist, but I am sure that countries like the USA, China, and Russia, have the technologies and resources to track down hackers. I don't believe that hackers are smarter than the intelligences of these countries...

Over time, yes but it takes a lot of effort and can be impossible in each specific instance if the cracker knows what they are doing. Eventually usually a mistake is made in a given instance (EG: if there is a 1% chance of being caught and one doesn't stop...) and code fingerprints tie back to other cracks.
Then, while the cracker may be 'identified' it may be an alias and not a true identity.
Also, the cracker may be currently jurisdictionally untouchable unless travels to where 'gettable' and law enforcement is aware.
And lastly, governments are motivated by national security and politics - a strictly business crack is rarely seen as either.

Thanks @iamlost for the details. One more reasons I am never using third part libraries :)