Experts Reacted On News: British Airways Fined £20m For Data Breach

British Airways has been fined £20m for failing to protect the personal and financial details of more than 400,000 customers, according to Business Live. This follows an investigation by the Information Commissioner’s Office (IC)) after the airline was the subject to a cyber-attack, which it did not detect for more than two months, in 2018. The attacker is believed to have potentially accessed the personal data of approximately 429,612 customers and staff, including names, addresses, payment card numbers, and CVV numbers of 244,000 BA customers. ICO investigators found that BA did not detect the attack on 22 June 2018 themselves but were alerted by a third party more than two months afterward on 5 September. Once they became aware BA acted promptly and notified the ICO. Although this fine is the biggest issued by the ICO to date, it is still just a fraction of the £183 million fine the organisation originally said it intended to issue in 2019.

Experts Comments

October 20, 2020
Ilia Kolochenko
Founder and CEO
ImmuniWeb
The road to hell is paved with good intentions. BA will likely shift the £20 million cost to passengers and employees, as most other companies would probably do. During the pandemic, exemplary penalties aimed to strongly deter others, likely mean more layoffs and less quality of service. While cybersecurity budgets will probably remain intact or even continue their decline. Moreover, in large organizations, even £20 million is just a fraction of the overall security budget thus it may simply.....Read More
The road to hell is paved with good intentions. BA will likely shift the £20 million cost to passengers and employees, as most other companies would probably do. During the pandemic, exemplary penalties aimed to strongly deter others, likely mean more layoffs and less quality of service. While cybersecurity budgets will probably remain intact or even continue their decline. Moreover, in large organizations, even £20 million is just a fraction of the overall security budget thus it may simply mean that paying a “record” penalty is cheaper than investing into a robust and holistic cybersecurity program. To make our digital lives safe and secure, governments should also consider supporting cybersecurity efforts of companies and organizations. This includes efficient and effective cybercrime investigation units, capable of apprehending hackers, send them to jail and recover at least a part of the stolen loot or disgorge their illicit profits. With the mushrooming data protection laws and regulations, from overhyped GDPR to relatively young CCPA, harsh penalties against companies that create jobs and pay taxes - are counterproductive when the state is toothless against cyber gangs that operate in impunity.  Read Less
October 19, 2020
Darren Wray
CTO & Co-founder
Guardum
The change in the final fine from over £189m to £20m is a massive turnaround for the ICO in the British Airways case. Yet did the ICO really have any choice? After all British Airways' (along with every other airline) fortunes have changed significantly since the beginning of the COVID-19 pandemic. What does this mean though for the millions of people whose personal information (including credit card numbers) were breached back in 2018? I imagine many will feel their data and their fight.....Read More
The change in the final fine from over £189m to £20m is a massive turnaround for the ICO in the British Airways case. Yet did the ICO really have any choice? After all British Airways' (along with every other airline) fortunes have changed significantly since the beginning of the COVID-19 pandemic. What does this mean though for the millions of people whose personal information (including credit card numbers) were breached back in 2018? I imagine many will feel their data and their fight to recover any financial losses resulting from the airline's inability to keep their data safe has been somewhat marginalised. This can only strengthen the case of the group pursuing a class action case against British Airways. The GDPR and the UK DPA 2018 do after all allow for such action and if the regulator isn't seen as enforcing the rules strongly enough, it leaves those whose data was lost few alternative options.  Read Less
October 19, 2020
Piers Wilson
Head of Product Management
Huntsman Security
£20m might seem a big fine and a major consequence of failing to secure data under GDPR, but it is much less than the ICO's original intended fine of £183m. Whether this was a result of clever bargaining by BA, the investigation process uncovering mitigating factors, an acknowledgment of the ravages of Covid-19 on the airline industry, or the ICO deliberately setting a high initial target with a more realistic goal in mind, it could give the message that fines will not be as severe as.....Read More
£20m might seem a big fine and a major consequence of failing to secure data under GDPR, but it is much less than the ICO's original intended fine of £183m. Whether this was a result of clever bargaining by BA, the investigation process uncovering mitigating factors, an acknowledgment of the ravages of Covid-19 on the airline industry, or the ICO deliberately setting a high initial target with a more realistic goal in mind, it could give the message that fines will not be as severe as businesses and some in the security and privacy industry expect. However, what ICO investigators did stress was that BA should have identified weaknesses in advance. This should come as a timely reminder that many cyber-attacks are preventable with standard cybersecurity controls - as long as they are working effectively. Whether following something like the NCSC’s Cyber Essential guidance or the Australian Government’s Essential 8 risk mitigation framework, organisations need to rigidly maintain these foundations, from simple patching and access controls to actively searching for and fixing vulnerabilities. In a highly interconnected world, it's also not enough to have confidence in your own security. What about your partners up and down the entire supply chain, especially as organisations have had to react so quickly to Covid? The risks are great – not only in terms of fines, but in loss of customer confidence in an already highly fragile economy – so regularly taking stock of cyber risk, and obliging partners to do the same, needs to be standard practice.  Read Less
October 19, 2020
Aman Johal
Lawyer and Director
Your Lawyers
It is concerning that British Airways has been fined just £20m after a significant climb down from the ICO’s provisional intention to fine the airline £183m following their 2018 data breach. A reduction of £163m – almost 90% - means the final fine is a drop in the ocean for BA. The fact that this agreed fine is a clear admission of liability from BA now cannot be ignored. There is now no excuse in BA defending the compensation action any longer, and they must agree to compensation.....Read More
It is concerning that British Airways has been fined just £20m after a significant climb down from the ICO’s provisional intention to fine the airline £183m following their 2018 data breach. A reduction of £163m – almost 90% - means the final fine is a drop in the ocean for BA. The fact that this agreed fine is a clear admission of liability from BA now cannot be ignored. There is now no excuse in BA defending the compensation action any longer, and they must agree to compensation settlements immediately. More delays in doing the right thing serves only to further damage the BA brand following numerous scandals in recent years. The change in CEO is an opportunity for the airline to show proper leadership and get a hold of BA’s dwindling reputation. Resolving the compensation action is a key part of this. The ICO’s earlier record intention to fine was a landmark moment. It set the standard as a candid warning that is so desperately needed at a time when large scale data breaches are rampant. I am concerned that such a significant climb down undermines the GDPR and its ability to act as a credible deterrent to big business by sending the message that they can orchestrate their way out of paying substantial financial penalties. If this is to be a trend, the only real deterrent against large corporations breaching the GDPR will be the pursuit of large group action claims for compensation, like the one against British Airways. At Your Lawyers, we will not be climbing down and, whilst we understand the challenges faced by the aviation industry from COVID 19, our legal action is now even more significant in making sure that the airline is held to account.  Read Less
October 19, 2020
Joseph Carson
Thycotic
Chief Security Scientist
The recent news recording another huge ICO (Information Commissioners Office) fine of £20m this time against British Airways for failing to protect the personal and financial details of more than 400,000 of its customers is another reminder to protect and secure privileged access as cybercriminals will allow look to gain privileged access as it allows them to move around the network and gain access to sensitive files or databases including employee and customers personal data. The.....Read More
The recent news recording another huge ICO (Information Commissioners Office) fine of £20m this time against British Airways for failing to protect the personal and financial details of more than 400,000 of its customers is another reminder to protect and secure privileged access as cybercriminals will allow look to gain privileged access as it allows them to move around the network and gain access to sensitive files or databases including employee and customers personal data. The investigation found that the attacker discovered a username and clear text password of a privileged domain administrator account left in an unsecured file that once in the hands of a criminal hacker literally means it is game over. Organizations must prioritize privileged access security and never leave domain admin accounts unprotected in clear text within a file otherwise it is an easy win for the criminals. Our job in cybersecurity is to make it difficult for criminals to protect the business and customers data.  Read Less
October 19, 2020
Matt Walmsley
EMEA Director
Vectra
Attackers invariably need to seek and gain privileged access. The details of the BA attack contained in the ICO’s report should serve as a salutary yet cautionary tale for security leaders and architects. Single-factor authentication VDI remote desktop services, storage of password in plain text and hardcoding credentials in scripts aiding lateral movement and privilege escalation, and a lack of network monitoring and detection capabilities to detect privilege abuse and attacker movement,.....Read More
Attackers invariably need to seek and gain privileged access. The details of the BA attack contained in the ICO’s report should serve as a salutary yet cautionary tale for security leaders and architects. Single-factor authentication VDI remote desktop services, storage of password in plain text and hardcoding credentials in scripts aiding lateral movement and privilege escalation, and a lack of network monitoring and detection capabilities to detect privilege abuse and attacker movement, all stand out in today’s £20M GDPR penalty notice filing. All defenses are ultimately imperfect, which is why early detection and response to an active attacker inside your organisation can make the difference between a contained security incident or a damaging and costly breach.  Read Less
October 19, 2020
Stuart Reed
UK Director
Orange Cyberdefense
While the size of the fine may be smaller than many people expected, the impact on the airline in terms of customer trust could have an even bigger impact than the financial cost. The ICO found that the airline was processing a significant amount of personal data without adequate security measures in place is particularly damning. Organisations are expected to demonstrate the best security practice at all times. It is imperative that they recognise that the onus is on them to make sure they.....Read More
While the size of the fine may be smaller than many people expected, the impact on the airline in terms of customer trust could have an even bigger impact than the financial cost. The ICO found that the airline was processing a significant amount of personal data without adequate security measures in place is particularly damning. Organisations are expected to demonstrate the best security practice at all times. It is imperative that they recognise that the onus is on them to make sure they have done everything they can to protect customer data. Otherwise, the consequences can be complex and extremely costly. Firms must adopt a layered security approach that includes people, processes, and enabling technologies to reduce the risk, minimise the impact of a breach should one occur, and demonstrate diligence and best practice to both customers and governing bodies.  Read Less
October 19, 2020
Jake Moore
Cybersecurity Specialist
ESET
Fines are, without a doubt, a necessary part of the data breach chain. Organisations must understand they cannot get away with compromising personal data – which will have potentially cost customers more than this initial fine. While some organisations view these fines simply as a potentially inevitable business cost, the fine issued must represent the real cost to customers and the situation they have been placed in. Significant consequences to businesses are of the utmost importance at the .....Read More
Fines are, without a doubt, a necessary part of the data breach chain. Organisations must understand they cannot get away with compromising personal data – which will have potentially cost customers more than this initial fine. While some organisations view these fines simply as a potentially inevitable business cost, the fine issued must represent the real cost to customers and the situation they have been placed in. Significant consequences to businesses are of the utmost importance at the current moment, as the rapid, potentially haphazard move to remote working has caused a shift in priorities for some – with organisations potentially neglecting data protection amongst the chaos.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.