Experts Reacted On News: British Airways Fined £20m For Data Breach

British Airways has been fined £20m for failing to protect the personal and financial details of more than 400,000 customers, according to Business Live. This follows an investigation by the Information Commissioner’s Office (IC)) after the airline was the subject to a cyber-attack, which it did not detect for more than two months, in 2018. The attacker is believed to have potentially accessed the personal data of approximately 429,612 customers and staff, including names, addresses, payment card numbers, and CVV numbers of 244,000 BA customers. ICO investigators found that BA did not detect the attack on 22 June 2018 themselves but were alerted by a third party more than two months afterward on 5 September. Once they became aware BA acted promptly and notified the ICO. Although this fine is the biggest issued by the ICO to date, it is still just a fraction of the £183 million fine the organisation originally said it intended to issue in 2019.

Subscribe
Notify of
guest
8 Expert Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Ilia Kolochenko
Ilia Kolochenko , Founder and CEO
InfoSec Expert
October 20, 2020 1:22 pm

The road to hell is paved with good intentions. BA will likely shift the £20 million cost to passengers and employees, as most other companies would probably do. During the pandemic, exemplary penalties aimed to strongly deter others, likely mean more layoffs and less quality of service. While cybersecurity budgets will probably remain intact or even continue their decline. Moreover, in large organizations, even £20 million is just a fraction of the overall security budget thus it may simply mean that paying a “record” penalty is cheaper than investing into a robust and holistic cybersecurity program.

To make our digital lives safe and secure, governments should also consider supporting cybersecurity efforts of companies and organizations. This includes efficient and effective cybercrime investigation units, capable of apprehending hackers, send them to jail and recover at least a part of the stolen loot or disgorge their illicit profits. With the mushrooming data protection laws and regulations, from overhyped GDPR to relatively young CCPA, harsh penalties against companies that create jobs and pay taxes – are counterproductive when the state is toothless against cyber gangs that operate in impunity.

Last edited 2 years ago by Ilia Kolochenko
Darren Wray
Darren Wray , CTO & Co-founder
InfoSec Expert
October 19, 2020 11:09 am

The change in the final fine from over £189m to £20m is a massive turnaround for the ICO in the British Airways case. Yet did the ICO really have any choice? After all British Airways\’ (along with every other airline) fortunes have changed significantly since the beginning of the COVID-19 pandemic.

What does this mean though for the millions of people whose personal information (including credit card numbers) were breached back in 2018?

I imagine many will feel their data and their fight to recover any financial losses resulting from the airline\’s inability to keep their data safe has been somewhat marginalised.

This can only strengthen the case of the group pursuing a class action case against British Airways. The GDPR and the UK DPA 2018 do after all allow for such action and if the regulator isn\’t seen as enforcing the rules strongly enough, it leaves those whose data was lost few alternative options.

Last edited 2 years ago by Darren Wray
Piers Wilson
Piers Wilson , Head of Product Management
InfoSec Expert
October 19, 2020 11:03 am

£20m might seem a big fine and a major consequence of failing to secure data under GDPR, but it is much less than the ICO\’s original intended fine of £183m. Whether this was a result of clever bargaining by BA, the investigation process uncovering mitigating factors, an acknowledgment of the ravages of Covid-19 on the airline industry, or the ICO deliberately setting a high initial target with a more realistic goal in mind, it could give the message that fines will not be as severe as businesses and some in the security and privacy industry expect.

However, what ICO investigators did stress was that BA should have identified weaknesses in advance. This should come as a timely reminder that many cyber-attacks are preventable with standard cybersecurity controls – as long as they are working effectively. Whether following something like the NCSC’s Cyber Essential guidance or the Australian Government’s Essential 8 risk mitigation framework, organisations need to rigidly maintain these foundations, from simple patching and access controls to actively searching for and fixing vulnerabilities.

In a highly interconnected world, it\’s also not enough to have confidence in your own security. What about your partners up and down the entire supply chain, especially as organisations have had to react so quickly to Covid? The risks are great – not only in terms of fines, but in loss of customer confidence in an already highly fragile economy – so regularly taking stock of cyber risk, and obliging partners to do the same, needs to be standard practice.

Last edited 2 years ago by Piers Wilson
Joseph Carson
Joseph Carson , Thycotic
InfoSec Expert
October 19, 2020 10:59 am

The recent news recording another huge ICO (Information Commissioners Office) fine of £20m this time against British Airways for failing to protect the personal and financial details of more than 400,000 of its customers is another reminder to protect and secure privileged access as cybercriminals will allow look to gain privileged access as it allows them to move around the network and gain access to sensitive files or databases including employee and customers personal data.

The investigation found that the attacker discovered a username and clear text password of a privileged domain administrator account left in an unsecured file that once in the hands of a criminal hacker literally means it is game over. Organizations must prioritize privileged access security and never leave domain admin accounts unprotected in clear text within a file otherwise it is an easy win for the criminals. Our job in cybersecurity is to make it difficult for criminals to protect the business and customers data.

Last edited 2 years ago by Joseph Carson
Aman Johal
Aman Johal , Lawyer and Director
InfoSec Expert
October 19, 2020 10:55 am

It is concerning that British Airways has been fined just £20m after a significant climb down from the ICO’s provisional intention to fine the airline £183m following their 2018 data breach. A reduction of £163m – almost 90% – means the final fine is a drop in the ocean for BA.

The fact that this agreed fine is a clear admission of liability from BA now cannot be ignored. There is now no excuse in BA defending the compensation action any longer, and they must agree to compensation settlements immediately. More delays in doing the right thing serves only to further damage the BA brand following numerous scandals in recent years. The change in CEO is an opportunity for the airline to show proper leadership and get a hold of BA’s dwindling reputation. Resolving the compensation action is a key part of this.

The ICO’s earlier record intention to fine was a landmark moment. It set the standard as a candid warning that is so desperately needed at a time when large scale data breaches are rampant. I am concerned that such a significant climb down undermines the GDPR and its ability to act as a credible deterrent to big business by sending the message that they can orchestrate their way out of paying substantial financial penalties. If this is to be a trend, the only real deterrent against large corporations breaching the GDPR will be the pursuit of large group action claims for compensation, like the one against British Airways.

At Your Lawyers, we will not be climbing down and, whilst we understand the challenges faced by the aviation industry from COVID 19, our legal action is now even more significant in making sure that the airline is held to account.

Last edited 2 years ago by Aman Johal
8
0
Would love your thoughts, please comment.x
()
x