- Security TWENTY
- Women in Security
British Airways faces a fine of £183.39m from the UK data privacy regulator the ICO for infringements of the General Data Protection Regulation (GDPR). The proposed fine relates to a cyber incident notified to the ICO by British Airways in September 2018. In part it involved user traffic to the British Airways website being diverted to a fraudulent site; customer details were harvested by the attackers. Personal data of about 500,000 customers were compromised, believed to date from June 2018.
The ICO says it has found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information.
Information Commissioner Elizabeth Denham said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
The regulator says that British Airways has cooperated and has made improvements to its security arrangements since. The company will now have opportunity to make representations to the ICO as to the proposed findings and sanction. ICO has been investigating this case as lead supervisory authority on behalf of other EU countries’ data protection authorities. It has also liaised with other regulators. Under the GDPR ‘one stop shop’ provisions the data protection authorities in other EU countries whose residents have been affected will also have the chance to comment.
David Smith, Head of GDPR Technology, at software firm SAS UK and Ireland, said: “This high-profile ICO fine is the line in the sand many in the industry have been expecting for months. GDPR compliance has been a slow process for many – but the penalties are now clear.”
Amanda Finch, CEO of the new Chartered Institute of Information Security Professionals said that action on BA was inevitable. “While we don’t yet know the final size of any fine, this is a clear warning shot – not only for BA but for the security industry as a whole. The ICO is showing its willingness to implement the full weight of its powers under GDPR, and BA is showing us exactly what even a small percentage of annual turnover looks like.
“The industry needs to understand not only how to prevent, but how to react to large breaches if it is to avoid major action. Businesses need not only the technical skills that help make the organisation secure, but the “soft” interpersonal skills that help create a security-minded culture across the company. IT security is in the middle of a long-overdue period of professionalisation – standardising approaches and skills to ensure best practice at all times. Events like these show that it can’t happen quickly enough.”
Jake Moore, at the cybersecurity product company ESET, said: “There was always going to be a hefty guinea pig fine from the ICO to mean business showing that GDPR fines are not just talked about. Incredibly, this still isn’t the maximum fine they could have been handled either. However, the amount of data compromised was huge and it is without doubt that it would have ended up in criminal hands so therefore it should not be taken lightly. The sort of data taken could have been used for card fraud or even identity theft and with as many as 380,000 transactions skimmed, this is an immense amount of information personally identifiable.”
Piers Wilson, Head of Product Management at Huntsman Security, said: “To better deal with this issue, cybersecurity must become a boardroom level issue – where every part of the business has a real understanding of risk. This needs to extend not only across the business, but to anyone it works with that could potentially jeopardise data security. Businesses that don’t follow this could swiftly find themselves as the next example for the industry.”
Laurie Mercer, security engineering lead, at the bug bounty company HackerOne, said: “The average price on the bug bounty market for vulnerability like the one used to attack British Airways is about £400. That is about 0.00022pc of the ICO’s intended fine for British Airways. When looking at the numbers like this, it really highlights that it is much cheaper and safer to engage with the global white hat community. Cyber criminals are continuously probing your websites and APIs, continuous security is required to match their abilities and avoid such eye-watering fines.”
And Dr Guy Bunker, CTO at cyber security company Clearswift, said: “The good news is that the breach was picked up relatively quickly. BA has systems in place such that it could narrow down both how the incident happened and who was affected. Unlike the TalkTalk incident where the numbers impacted changed on a regular basis, the BA team appears to have done its due diligence on the event quickly and efficiently.
“Finding a second attack is not uncommon. And there may well be more. The sophisticated attacks which are now carried out by organised criminals are designed to have multiple aspects – such that if one is discovered there are secondary or tertiary attacks ongoing. When finding one vulnerability in an IT infrastructure it will be exploited to its maximum, and within that exploit further discovery will be carried out as to what other pieces of malware can be introduced. Once an infection takes hold of an environment, it often becomes easier to start from scratch to rebuild it rather than try and take out the malware infections one by one – where, if you miss one as it is hibernating, you could end up back at square one in a few weeks or months’ time.