British Airways is set to be fined more than £183 million over a customer data breach.
- The fine relates to the theft of customers’ personal and financial information between June 2018 and September 2018 from the website ba.com and the airline’s mobile app
- The airline initially said around 380,000 payment cards had been compromised, however the ICO said in a statement that the personal information of 500,000 customers had been affected
- The incident in part involved user traffic to the British Airways website being diverted to a fraudulent site, where customer details were harvested by the attackers
The owner of British Airways is facing a fine of £183.4m after a data breach which saw personal details belonging to 500,000 compromised https://t.co/8qmBVb9LNC
— Sky News (@SkyNews) July 8, 2019
Experts Comments:
Javvad Malik, Security Awareness Advocate at KnowBe4:
“While there is no denying that it is a large fine, it is commensurate with the breach which saw nearly half a million customers personal and financial data impacted. After the introduction of GDPR last year many wondered when the large fines would begin and this seems to be it.”
.
Anna Russel, VP at Comforte AG:
“Companies need to realize that GDPR is a data privacy regulation that has teeth. Google was already fined €50m in France earlier this year, and now with the case of British Airways, it is becoming clear that more big fines will be handed out if organizations fail to take data privacy seriously. The information commissioner Elizabeth Denham has pointed out something that many companies don’t yet seem to understand: The personal data that they are processing and storing is not their property. They have only been entrusted with it. That is a big difference. So what can organizations like British Airways do to protect their customer’s data adequately? It may seem obvious, but they need to take a serious approach to data security. There are proven methods available which can prevent such data breaches from happening. Tokenisation of personal data is a great example. With such an approach, all sensitive data elements get replaced by tokens. That means that in the case of a data breach, only tokens are lost and not the underlying personal data. Furthermore, as it is the data elements themselves that are protected, the actual security mechanism always travels with the data. No matter if it is processed and stored within the company network, or whether it moves outside the perimeter.”
Dr Darren Williams, CEO and Founder at BlackFog:
“News that British Airways is facing a fine of more than £183 million over its customer data breach is a huge milestone for GDPR. It’s the first fine to be publicly announced since GDPR was implemented and the largest the Information Commissioner’s Officer (ICO) has ever issued – striking when compared to Facebook’s pre-GDPR £500,000 fine over the Cambridge Analytica scandal.”
“The takeaway from this proposed penalty is that consumer privacy needs to be the highest priority for every business and any missteps in protecting data will be addressed with full force. It is inevitable that cybercriminals are going to get in, which is why businesses need a layered and preventative approach. Firewalls to prevent access, malware solutions to remove infections, and most critically, the middle piece focused on preventing the transmission of data off the network.”
Joseph Carson, Chief Security Scientist at Thycotic:
£183m is the cost of not protecting sensitive personal information from cybercriminals and this is just the fine not including the actual costs of cleaning up or responding to the data breach. The fine could have been much higher, reaching almost as much as £500m if the full potential 4% of annual turnover was enforced. The fine is considerably lower than the potential 4% of annual turnover, but still a significant amount of financial impact for British Airways. This is now a reminder for those companies who still do not treat cybersecurity as a top priority of the cost of not taking personal information and cybersecurity seriously versus putting strict security controls in place along with vigorous monitoring. The cost of doing nothing minus the cost of doing something is the cyber risk that companies are willing to take by not taking cybersecurity more seriously.
Malcolm Taylor, Director of Cyber Advisory at ITC Secure:
This is the first proper example of the ICO imposing a fine under GDPR. The security industry has been waiting for this but, even so, I judge the size of the fine has taken many by surprise. BA have said in response that they are considering an appeal and, for them crucially, they claim that there is no evidence that any of their clients suffered harm as a result. That said, the fine is less than is allowed under the regulation; GDPR allows for a fine of up to 4% of global turnover (in BA’s case £13b turnover equating to a possible fine of nearly £500m). There was always a belief that whichever large company first fell foul of a GDPR breach would be held up as an example; in contrast I think this looks a proportionate response from the ICO, and one in which they have demonstrated their new powers and delivered a punishment, but avoided going all-out against (in this case) BA. I also think it is worth remembering that this was a large and serious breach; hundreds of thousands of individuals’ data including credit card details with CVV, and in some cases passports.
Elizabeth Denham, the Information Commissioner, has made clear that the ICO is taking data breaches seriously; she has said that GDPR protects private data and private data should be just that – private. In practical terms this means that companies are now accountable. That ought to push data- and cyber- security to where it belongs as a risk issue – the board room. Will it? I think it’s too soon to tell, to be honest. 1.5% of global turnover will focus minds, but the nature of the cyber threat still allows abrogation of that accountability under the cloak of “it’s a technical issue and we don’t understand”. It isn’t, but that will continue to happen. I also hope this is an opportunity grasped by the security industry; we need to stop talking largely to ourselves, and stop assuming that fear will sell what we do, and start instead to present this as a board-level risk which can, with investment, strategy and thought, be mitigated properly (if not totally). Until then, I think we will continue to see breaches, fines and appeals. Sadly.
A final thought. BA claim no-one suffered harm. That may or may not be true – I don’t know. But hundreds of thousands of their clients did suffer personal inconvenience and therefore impact. Anecdotally, individuals spent considerable time sorting out a personal mess caused by the breach.
And finally finally, I have no doubt that there is a risk that large fines such as this will motivate some attackers to target big, well-known corporations; they will take vicarious pleasure from launching an attack, harvesting data, and then watching the size of the fine. Most attackers are in it for the money, but the perverse kudos they will feel (and get) is also likely to be a factor. What price being the attacker behind the ICO’s biggest ever fine?
Peter Carlisle, Vice President of Global Sales at nCipher Security:
Since the GDPR came into force, we’ve seen a variety of breaches and fines occur, ranging from large, established organisations to smaller organisations. With over 200,000 cases reported across Europe, British Airways is just the latest in a long line of organisations to show us that no one using the personal data of EU citizens can avoid compliance. The loss of customer trust and damage to reputation that follow a data breach are now being matched by weighty fines and potentially devastating financial penalties.
As BA has learnt, the future of data protection means a commitment to accountability. If organisations wish to use data to gain a competitive edge, they must be prepared to take responsibility for its use and protection. It also means a commitment to transparency. Transparency in telling customers how their data is being collected and used and transparency when it comes to disclosing the scale and affected parties if a data breach does occur. After all, data is any business’s most important asset, regardless of size or sector.
The best defence in cybersecurity is a proactive one, and the right mix of hardware, software and internal education provides a firm foundation of protection. Encryption, digital signing and key generation are also increasingly important, as data that is fully encrypted is useless to hackers even if a data breach does occur.
Piers Wilson, Head of Product Management at Huntsman Security:
“This is undoubtedly a large fine, even if it ends up being reduced, but it has still served its purpose – highlighting the dire consequences that businesses face in the era of GDPR. Without the right technology and processes in place, and most importantly without the understanding of whether they are doing enough to reduce risk, organisations could swiftly find themselves in the firing line for similarly painful amounts, not to mention the potential damage to their reputation and loss of custom. To better deal with this issue, cybersecurity must become a boardroom level issue – where every part of the business has a real understanding of risk. This needs to extend not only across the business, but to anyone it works with that could potentially jeopardise data security. Businesses that don’t follow this could swiftly find themselves as the next example for the industry.”
Colin Truran, Principal Technology Strategist at Quest:
“The British Airways AIG data breach heralds the start of the GDPR being applied to business failures in protecting our personal data.
It’s worth breaking down the numbers to get a better perspective. This is a record fine and a significant one for an industry that struggles to maintain a steady profit. However, it equates to only £366 per person and based on what Facebook are willing to pay for the use of far less critical information this doesn’t seem that much. We need to understand that this is meant to be a slap on the wrist for the uncontrolled exposure of sensitive information for which we will never really know how it’s been used. What we really need to understand is why the failure happened, what can we all learn from this and what has BA implemented since then to improve the situation. We would also like to know what staved the hand of the ICO in not going for the full 4%, was it based on the measures BA had in place, the action it took to identify and notify individuals as well as it’s cooperation with the ICO. These early cases are vital to help business understand the risks they face and how they can mitigate them for themselves and of course their customers.
They are not out of the woods yet as outside of an appeal this may not be the end of it for IAG as under the GDPR they will also be subject to a much easier litigation process from affected individuals or “ambulance chasers” wishing to act on their behalf.”
Ilia Kolochenko, Founder and CEO at ImmuniWeb:
“What’s worse, is that the £183 million fine does not really terminate legal ramifications of BA related to their website hack, other parties may still have valid claims against BA. It is now important to determine whose negligence or misconduct ultimately caused or facilitated the breach. If BA was relying only on automated vulnerability scanning for a business critical application, a cybersecurity supplier who suggested such a reckless strategy – may be liable under certain circumstances and BA may crossclaim the damages.
In any case, this is a gloomy reminder that web and mobile application security is essentially important, and if negligently disregarded – may cost hundreds of millions. Prompt reaction, investigation and rapid notice won’t be good enough to avoid formidable fines. Prevention is much better than cure from financial, reputational and operations standpoints.”
John O’Keeffe, VP of EMEA at Looker:
“This punitive measure against British Airways – the record issued in the UK by the Information Commissioner’s Office – serves another reminder to IT security leaders to review their data handling and security processes regularly, ensuring policies and processes put in place prior to the GDPR deadline are still being carried out properly.
“With access to data storage becoming so inexpensive, easy and accessible in recent years, the instinct has been for businesses to hoard any and all data they can get their hands on. In many cases, this has generated results in the form of new insights that never would have been uncovered otherwise.
“However, this has also resulted in businesses housing huge volumes of data, some of which isn’t being used at all, and the rest of which is often duplicated across many locations. This ‘data sprawl’ makes it hard for enterprises to even understand what exactly they’re storing, let alone where it is, how it’s being accessed or how to respond to data subject access or deletion requests. This sprawl can potentially increase risk to the business and to individuals.
“Organisations seeking to achieve GDPR compliance may have tackled this issue prior to the deadline, but they’ll need to ensure the right strategies, processes and technologies are in place to maintain this position moving forwards.”
Philip Greaves, Director and GDPR lead at Protiviti:
“The press release from the ICO does not release any significant information in relation to how the breach was perpetrated by the hackers, although some reports pointed towards toward a vulnerability in payment systems. The fine is clearly very significant and so the ICO must feel that the cyber security controls in place were not sufficient to protect BA customer data.
Whilst the fine is significant, this is well within the boundaries of GDPR and so is not totally unexpected, and we had heard chatter at various conferences that there may be imminent fines coming out. Given the risk profile of British Airways and previous attacks over the last few years, British Airways clearly needs to be investing heavily in driving stronger cyber controls. The Regulators are not expecting attacks to stop happening, only that organisations have sufficient controls in place to limit the risk to data subjects.
We have very clear messaging around driving risk based investment around your cyber defences and can dovetail this into how organisations can place a personal data lens around this risk management. For example, assessing encryption requirements across the organisation to determine where databases should be encrypted. This will significantly limit the extent of potential data breaches.”
Amanda Finch, CEO at Chartered Institute of Information Security Professionals:
“Action on BA was inevitable. 23 percent of security professionals named it the worst security breach of 2018, second only to Facebook and the Cambridge Analytica scandal. While we don’t yet know the final size of any fine, this is a clear warning shot – not only for BA but for the security industry as a whole. The ICO is showing its willingness to implement the full weight of its powers under GDPR, and BA is showing us exactly what even a small percentage of annual turnover looks like.
“The industry needs to understand not only how to prevent, but how to react to large breaches if it is to avoid major action. Businesses need not only the technical skills that help make the organisation secure, but the “soft” interpersonal skills that help create a security-minded culture across the company. IT security is in the middle of a long-overdue period of professionalization – standardising approaches and skills to ensure best practice at all times. Events like these show that it can’t happen quickly enough.”
Tony Pepper, CEO at Egress:
News breaking this morning that British Airways, the flag carrier airline of the United Kingdom, is set to be fined more than £183 million over a customer data breach brings into stark focus the severity with which the Information Commissioner’s Office (ICO) is addressing data compliance under GDPR.
The total proposed fine of £183.39 million, equivalent to 1.5% of BA’s global turnover for the financial year ending December 31, dwarfs the previous highest fine of £500,000 doled out to Facebook for serious breaches of data protection law in 2018.
This fine not only puts pay to any thoughts that the ICO lacked teeth in its pursuit of organisations putting customer data at risk, but also serves as a reminder to any company suffering from a complacent attitude to compliance that the handling, processing and storing of customer data should be its number one priority.
This could very well be the first of many large fines issued by the ICO and will most definitely serve as a wakeup call to organisations that offer goods or services to, or monitor the behaviour of, EU data subjects.
Jake Moore, Cybersecurity Specialist at ESET:
“There was always going to be a hefty guinea pig fine from the ICO to mean business showing that GDPR fines are not just talked about. Incredibly, this still isn’t the maximum fine they could have been handled either.
However, the amount of data compromised was huge and it is without doubt that it would have ended up in criminal hands so therefore it should not be taken lightly. The sort of data taken could have been used for card fraud or even identity theft and with as many as 380,000 transactions skimmed, this is an immense amount of information personally identifiable.”
Matan Or-El, CEO at Panorays:
“The data breach that British Airways experienced last year was one of many cyberattacks attributed to Magecart, a group that hacked into companies providing web application services through Javacript integration to other companies. After hacking the provider of the Javascript code, the group augmented the original integration with their own malicious code. As a result, every application that used the services of the company became compromised. Other companies that were similarly breached through Magecart include Feedify, Newegg and others. Companies need to do a better job assessing and managing the risk associated with third parties in their cyber supply chain. The £183 million fine that British Airways is facing is likely just the tip of the iceberg for what is to come, and should serve as a wake-up call for organizations that GDPR is here and being enforced.
Nicola Pero, CTO at Engage Hub:
“British Airways has hit the headlines again after suffering a £183m fine as a result of a data breach that saw approximately 500,000 customers’ details harvested by attackers last year. Scandals in the media remain fresh in the minds of customers and people continue to mistrust the mention of ‘data’. Despite being in a post-GDPR era, which has demanded that robust processes and technology are in place to protect customer data, large companies are still finding it hard to protect their systems.
“More often than not, businesses don’t have the right infrastructure in place. It has been a challenge for companies, particularly those that have legacy processes and aging technology to suddenly switch to building products and services that are compliant. Businesses need to implement a platform that manages all data orchestration so that silos do not get in the way and dramatically increase risk and cost. However, companies must not forget to address the small vulnerabilities that can open the door to major problems. Simple things like not opening spam emails or using more complex passwords go a long way. Ultimately, when everyone takes responsibility for data security, the business overall is in a stronger position to deliver a greater offering and can help to ensure their customers are satisfied and have trust in whether it be their airline or their bank.”
David Emm, Principal Security Researcher at Kaspersky:
“Failing to properly manage customer data can have devastating consequences for businesses, as has been demonstrated by the fine issued to British Airways (BA) today. With so much valuable personal and financial data entrusted to airlines, it is easy to see why they are such a sought over target for cybercriminals. Whilst the result of the ongoing investigation is yet to be determined, one thing is certainly clear, cyberattacks are becoming increasingly sophisticated and harder to defend against.
“Customers who entrust their private information to the care of an airline should be safe in the knowledge that their data is being kept in a secure manner. As BA moves forward and tries to regain some of the consumer trust that it may have lost amidst this breach, it must now work tirelessly to implement a cybersecurity strategy that is capable of effectively protecting against the evolving skills of the modern cybercriminal. With this attack occurring through a vulnerability in the reservations system, an important first step for BA is to take a step back and re-evaluate its online security strategy. These measures include running fully updated software, performing regular security audits on its website code and penetration testing its infrastructure.”
Sam Curry, Chief Security Officer at Cybereason:
“In today’s corporate world, companies can be heroes or villains in these situations, not victims. There is far more at risk for British Airways if they don’t improve their security and privacy. And while certainly startling on many levels to BA and the world. this is absolutely a wake up call. The ICO is enforcing it’s mandate. And while the company may feel singled out, this is the new normal. The message here is clear: it’s not about checking boxes. It’s about privacy in the company’s DNA. You can’t just roll out a good enough app that doesn’t have good enough privacy or security. It’s also not about the facile direct risk of fraud. This is about the privilege of holding data, which is no more a right for BA than for anyone; and violation of that erodes the integrity of a class of users’ identities. By all means, BA should appeal as they have a right, but the new normal is not going to forgive ignorance or whining when the penalty can still increase if BA suffers a further incident or resists correcting operations and overall security.”
Paul German, CEO at Certes Networks:
The fine of £183m that the Information Commissioner plans to levy on British Airways for the breach it disclosed in September 2018 is causing panic amongst businesses across the globe. But, for organisations with a data-centric approach to cyber security, it doesn’t need to be the start of any sleepless nights.
The issue is that many organisations are still focused on protecting the network, rather than the data itself. The positive side is that organisations are investing heavily in their cyber security strategies, but they are investing in protecting the wrong aspect – the network – which essentially amounts to a lost investment. A different approach is needed.
The security teams that adopt a data-centric approach to cyber security will be able to sleep far easier at night; by protecting payload data with Layer 4 encryption, even if the data is stolen it will be rendered useless to hackers. After all, data is one of an organisation’s most important assets, so those that focus on protecting it by securing data rather than the network, don’t need to worry about the Information Commissioner knocking on their door anytime soon.
Tim Hickman, Partner at White & Case:
“The UK ICO’s announcement of a £183m fine to British Airways demonstrates the increasingly serious nature of GDPR enforcement. Much like the decision by France’s CNIL to issue a €50m fine to a technology company earlier this year, this announcement forms part of a trend that has seen a dramatic escalation of penalties for businesses that are deemed to be non-compliant.
“In recent years, many of the most high-profile data protection enforcement actions have involved technology companies. This has led to a view in some quarters that GDPR compliance is primarily a concern for companies in the technology sector and that businesses in other sectors face lower risks. By announcing its intention to issue a record fine to a company outside the technology sector, the ICO is putting businesses on notice that GDPR enforcement is coming for all manner of organisations in all sectors.
“Businesses should therefore take this announcement as a reminder to put serious thought into whether they have identified and understood their GDPR obligations, whether they have satisfied those obligations, and whether they have a plan for addressing any known compliance gaps.”
Dr Guy Bunker, CTO at Clearswift:
“With the breaking news this morning that BA has been fined £183m, we have seen the answer to the predominant questions posed at the time of the hack: will we see a substantial fine levied on the company? While there have been a number of breaches since the legislation was enforced earlier last year, this is one where the affected business has admitted what has happened and believes it ticks all the boxes when it comes to personal data being compromised. Consequently, this is the first major ICO fine for a GDPR breach in the UK, which shows the Information Commissioner’s Office are willing to fine large companies for losing personal information. British Airways will now have to redouble their efforts to prove that they and their supplier have a malware free infrastructure in order to begin the process of rebuilding trust with its customers. They have been fined 1.5% of their worldwide turnover in 2017, which is near the 2% maximum fine.”
Bunker went on to state: “The good news is that the breach was picked up relatively quickly. BA has systems in place such that it could narrow down both how the incident happened and who was affected. Unlike the TalkTalk incident where the numbers impacted changed on a regular basis, the BA team appears to have done its due diligence on the event quickly and efficiently.
“Finding a second attack is not uncommon. And there may well be more. The sophisticated attacks which are now carried out by organised criminals are designed to have multiple aspects – such that if one is discovered there are secondary or tertiary attacks ongoing. When finding one vulnerability in an IT infrastructure it will be exploited to its maximum, and within that exploit further discovery will be carried out as to what other pieces of malware can be introduced. Once an infection takes hold of an environment, it often becomes easier to start from scratch to rebuild it rather than try and take out the malware infections one by one – where, if you miss one as it is hibernating, you could end up back at square one in a few weeks or months’ time.
David Francis, IT Security Consultant at KCOM:
“The BA fine demonstrates the paramount importance to business of getting security right. Data access must be controlled with the greatest of care, for the sake of customer privacy first and for the health and reputation of the business second.
“It’s essential to be able to identify when a breach has taken place, who accesses what information and where it has moved. Endpoint protection is not enough – the data is the target and the asset, so it’s data that must be secured, with as much granular insight into access privileges as possible. Only then can companies be rapidly notified of unauthorised access, and have a better chance of identifying the source of the leak at speed.
“Once data is out of the network, it can never be recalled. For that reason, and as the scale of this fine reinforces, identity and access management (IAM) must now be viewed as top-level strategic priorities, not a backroom concern. IAM is now a board-level issue, and CIOs need to ensure they have the right tools in place and the right partners in their network to ensure they can reassure the C-suite that security will not let the organisation down.
“IAM is essential to business continuity and customer privacy – let BA be a call to arms for businesses of all kinds.”
Saryu Nayyar, CEO at Gurucul:
“A fine of this magnitude can go a long way towards convincing companies to do everything they can to protect their customer’s private information. Too many companies continue to make the mistake of not investing enough in their cybersecurity programmes. They also continue to make the mistake of relying on the same conventional cybersecurity technologies that are continuously exploited during cyberattacks. These companies would be wise to look at new, automated approaches such as continuous monitoring of user and entity behaviours to discover anomalies as they occur.”
Ashley Hurst, Partner and Head of Tech, Media and Comms at international legal practice Osborne Clarke:
“It is interesting to note that British Airways owner IAG released an announcement to market and the ICO has issued its press release despite the fact the ICO’s intention to fine is preliminary. Historically, fines were announced once the final decision regarding the amount of that fine was reached. It may be that the size of the proposed fine and the listed status of British Airways was such that there was no choice but for IAG to publicly announce the size of the intended fine.
The proposed fine will also provide encouragement for a rapidly growing group of claimant personal injury lawyers looking to bring post-data breach claims for compensation. It is often difficult to attribute a data breach to a breach of the GDPR and even more difficult to prove that such a breach has led to damage and distress, so it will be interesting to see whether the ICO will make any comment about this.
Over the last year, speculation has been rife regarding the approach that the ICO will take to fines. It now clear that the ICO will not be gradually scaling up from its previous £500,000 maximum: the proposed £183.39m penalty is equal to 1.5% of British Airways’ worldwide turnover of £12,226m in 2017. This is still substantially less than the possible maximum GDPR fine of 4% of worldwide annual turnover but is still startling and demonstrates more than ever that cybersecurity needs to stay on the board agenda.
Prior to this announcement, the total value of all fines issued under the GDPR across all EU member states had amounted to €56 million. This includes a €50 million fine by the French DPA (CNIL) against Google for what the CNIL considered to be a lack of transparency, inadequate information and lack of valid consent in relation to Google’s use of personal data for the purposes of personalising advertisements, as discussed in our recent article.
When the decision is finally published, this case should provide some long-awaited clarity regarding the ICO’s exercise of its enforcement powers and in particular what it considers to be “appropriate technical and organisational measures” to protect personal data, which is the key technical standard littered throughout the GDPR.”
Laurie Mercer, Security Engineering Lead at HackerOne:
“The average price on the bug bounty market for vulnerability like the one used to attack British Airways is about £400. That is about 0.00022% of the ICOs intended fine for British Airways. When looking at the numbers like this, it really highlights that it is much cheaper and safer to engage with the global white hat community.
Cyber criminals are continuously probing your websites and APIs, continuous security is required to match their abilities and avoid such eye-watering fines.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.