British Airways is set to be fined more than £183 million over a customer data breach.
- The fine relates to the theft of customers’ personal and financial information between June 2018 and September 2018 from the website ba.com and the airline’s mobile app
- The airline initially said around 380,000 payment cards had been compromised, however the ICO said in a statement that the personal information of 500,000 customers had been affected
- The incident in part involved user traffic to the British Airways website being diverted to a fraudulent site, where customer details were harvested by the attackers
The owner of British Airways is facing a fine of £183.4m after a data breach which saw personal details belonging to 500,000 compromised https://t.co/8qmBVb9LNC
— Sky News (@SkyNews) July 8, 2019
Experts Comments:
Javvad Malik, Security Awareness Advocate at KnowBe4:
.
Anna Russel, VP at Comforte AG:
Dr Darren Williams, CEO and Founder at BlackFog:
“The takeaway from this proposed penalty is that consumer privacy needs to be the highest priority for every business and any missteps in protecting data will be addressed with full force. It is inevitable that cybercriminals are going to get in, which is why businesses need a layered and preventative approach. Firewalls to prevent access, malware solutions to remove infections, and most critically, the middle piece focused on preventing the transmission of data off the network.”
Joseph Carson, Chief Security Scientist at Thycotic:
Malcolm Taylor, Director of Cyber Advisory at ITC Secure:
Elizabeth Denham, the Information Commissioner, has made clear that the ICO is taking data breaches seriously; she has said that GDPR protects private data and private data should be just that – private. In practical terms this means that companies are now accountable. That ought to push data- and cyber- security to where it belongs as a risk issue – the board room. Will it? I think it’s too soon to tell, to be honest. 1.5% of global turnover will focus minds, but the nature of the cyber threat still allows abrogation of that accountability under the cloak of “it’s a technical issue and we don’t understand”. It isn’t, but that will continue to happen. I also hope this is an opportunity grasped by the security industry; we need to stop talking largely to ourselves, and stop assuming that fear will sell what we do, and start instead to present this as a board-level risk which can, with investment, strategy and thought, be mitigated properly (if not totally). Until then, I think we will continue to see breaches, fines and appeals. Sadly.
A final thought. BA claim no-one suffered harm. That may or may not be true – I don’t know. But hundreds of thousands of their clients did suffer personal inconvenience and therefore impact. Anecdotally, individuals spent considerable time sorting out a personal mess caused by the breach.
And finally finally, I have no doubt that there is a risk that large fines such as this will motivate some attackers to target big, well-known corporations; they will take vicarious pleasure from launching an attack, harvesting data, and then watching the size of the fine. Most attackers are in it for the money, but the perverse kudos they will feel (and get) is also likely to be a factor. What price being the attacker behind the ICO’s biggest ever fine?
Peter Carlisle, Vice President of Global Sales at nCipher Security:
As BA has learnt, the future of data protection means a commitment to accountability. If organisations wish to use data to gain a competitive edge, they must be prepared to take responsibility for its use and protection. It also means a commitment to transparency. Transparency in telling customers how their data is being collected and used and transparency when it comes to disclosing the scale and affected parties if a data breach does occur. After all, data is any business’s most important asset, regardless of size or sector.
The best defence in cybersecurity is a proactive one, and the right mix of hardware, software and internal education provides a firm foundation of protection. Encryption, digital signing and key generation are also increasingly important, as data that is fully encrypted is useless to hackers even if a data breach does occur.
Piers Wilson, Head of Product Management at Huntsman Security:
Colin Truran, Principal Technology Strategist at Quest:
It’s worth breaking down the numbers to get a better perspective. This is a record fine and a significant one for an industry that struggles to maintain a steady profit. However, it equates to only £366 per person and based on what Facebook are willing to pay for the use of far less critical information this doesn’t seem that much. We need to understand that this is meant to be a slap on the wrist for the uncontrolled exposure of sensitive information for which we will never really know how it’s been used. What we really need to understand is why the failure happened, what can we all learn from this and what has BA implemented since then to improve the situation. We would also like to know what staved the hand of the ICO in not going for the full 4%, was it based on the measures BA had in place, the action it took to identify and notify individuals as well as it’s cooperation with the ICO. These early cases are vital to help business understand the risks they face and how they can mitigate them for themselves and of course their customers.
They are not out of the woods yet as outside of an appeal this may not be the end of it for IAG as under the GDPR they will also be subject to a much easier litigation process from affected individuals or “ambulance chasers” wishing to act on their behalf.”
Ilia Kolochenko, Founder and CEO at ImmuniWeb:
In any case, this is a gloomy reminder that web and mobile application security is essentially important, and if negligently disregarded – may cost hundreds of millions. Prompt reaction, investigation and rapid notice won’t be good enough to avoid formidable fines. Prevention is much better than cure from financial, reputational and operations standpoints.”
John O’Keeffe, VP of EMEA at Looker:
“With access to data storage becoming so inexpensive, easy and accessible in recent years, the instinct has been for businesses to hoard any and all data they can get their hands on. In many cases, this has generated results in the form of new insights that never would have been uncovered otherwise.
“However, this has also resulted in businesses housing huge volumes of data, some of which isn’t being used at all, and the rest of which is often duplicated across many locations. This ‘data sprawl’ makes it hard for enterprises to even understand what exactly they’re storing, let alone where it is, how it’s being accessed or how to respond to data subject access or deletion requests. This sprawl can potentially increase risk to the business and to individuals.
“Organisations seeking to achieve GDPR compliance may have tackled this issue prior to the deadline, but they’ll need to ensure the right strategies, processes and technologies are in place to maintain this position moving forwards.”
Philip Greaves, Director and GDPR lead at Protiviti:
Whilst the fine is significant, this is well within the boundaries of GDPR and so is not totally unexpected, and we had heard chatter at various conferences that there may be imminent fines coming out. Given the risk profile of British Airways and previous attacks over the last few years, British Airways clearly needs to be investing heavily in driving stronger cyber controls. The Regulators are not expecting attacks to stop happening, only that organisations have sufficient controls in place to limit the risk to data subjects.
We have very clear messaging around driving risk based investment around your cyber defences and can dovetail this into how organisations can place a personal data lens around this risk management. For example, assessing encryption requirements across the organisation to determine where databases should be encrypted. This will significantly limit the extent of potential data breaches.”
Amanda Finch, CEO at Chartered Institute of Information Security Professionals:
“The industry needs to understand not only how to prevent, but how to react to large breaches if it is to avoid major action. Businesses need not only the technical skills that help make the organisation secure, but the “soft” interpersonal skills that help create a security-minded culture across the company. IT security is in the middle of a long-overdue period of professionalization – standardising approaches and skills to ensure best practice at all times. Events like these show that it can’t happen quickly enough.”
Tony Pepper, CEO at Egress:
The total proposed fine of £183.39 million, equivalent to 1.5% of BA’s global turnover for the financial year ending December 31, dwarfs the previous highest fine of £500,000 doled out to Facebook for serious breaches of data protection law in 2018.
This fine not only puts pay to any thoughts that the ICO lacked teeth in its pursuit of organisations putting customer data at risk, but also serves as a reminder to any company suffering from a complacent attitude to compliance that the handling, processing and storing of customer data should be its number one priority.
This could very well be the first of many large fines issued by the ICO and will most definitely serve as a wakeup call to organisations that offer goods or services to, or monitor the behaviour of, EU data subjects.
Jake Moore, Cybersecurity Specialist at ESET:
However, the amount of data compromised was huge and it is without doubt that it would have ended up in criminal hands so therefore it should not be taken lightly. The sort of data taken could have been used for card fraud or even identity theft and with as many as 380,000 transactions skimmed, this is an immense amount of information personally identifiable.”
Matan Or-El, CEO at Panorays:
Nicola Pero, CTO at Engage Hub:
“More often than not, businesses don’t have the right infrastructure in place. It has been a challenge for companies, particularly those that have legacy processes and aging technology to suddenly switch to building products and services that are compliant. Businesses need to implement a platform that manages all data orchestration so that silos do not get in the way and dramatically increase risk and cost. However, companies must not forget to address the small vulnerabilities that can open the door to major problems. Simple things like not opening spam emails or using more complex passwords go a long way. Ultimately, when everyone takes responsibility for data security, the business overall is in a stronger position to deliver a greater offering and can help to ensure their customers are satisfied and have trust in whether it be their airline or their bank.”
David Emm, Principal Security Researcher at Kaspersky:
“Customers who entrust their private information to the care of an airline should be safe in the knowledge that their data is being kept in a secure manner. As BA moves forward and tries to regain some of the consumer trust that it may have lost amidst this breach, it must now work tirelessly to implement a cybersecurity strategy that is capable of effectively protecting against the evolving skills of the modern cybercriminal. With this attack occurring through a vulnerability in the reservations system, an important first step for BA is to take a step back and re-evaluate its online security strategy. These measures include running fully updated software, performing regular security audits on its website code and penetration testing its infrastructure.”
Sam Curry, Chief Security Officer at Cybereason:
“In today’s corporate world, companies can be heroes or villains in these situations, not victims. There is far more at risk for British Airways if they don’t improve their security and privacy. And while certainly startling on many levels to BA and the world. this is absolutely a wake up call. The ICO is enforcing it’s mandate. And while the company may feel singled out, this is the new normal. The message here is clear: it’s not about checking boxes. It’s about privacy in the company’s DNA. You can’t just roll out a good enough app that doesn’t have good enough privacy or security. It’s also not about the facile direct risk of fraud. This is about the privilege of holding data, which is no more a right for BA than for anyone; and violation of that erodes the integrity of a class of users’ identities. By all means, BA should appeal as they have a right, but the new normal is not going to forgive ignorance or whining when the penalty can still increase if BA suffers a further incident or resists correcting operations and overall security.”
Paul German, CEO at Certes Networks:
The issue is that many organisations are still focused on protecting the network, rather than the data itself. The positive side is that organisations are investing heavily in their cyber security strategies, but they are investing in protecting the wrong aspect – the network – which essentially amounts to a lost investment. A different approach is needed.
The security teams that adopt a data-centric approach to cyber security will be able to sleep far easier at night; by protecting payload data with Layer 4 encryption, even if the data is stolen it will be rendered useless to hackers. After all, data is one of an organisation’s most important assets, so those that focus on protecting it by securing data rather than the network, don’t need to worry about the Information Commissioner knocking on their door anytime soon.
Tim Hickman, Partner at White & Case:
“In recent years, many of the most high-profile data protection enforcement actions have involved technology companies. This has led to a view in some quarters that GDPR compliance is primarily a concern for companies in the technology sector and that businesses in other sectors face lower risks. By announcing its intention to issue a record fine to a company outside the technology sector, the ICO is putting businesses on notice that GDPR enforcement is coming for all manner of organisations in all sectors.
“Businesses should therefore take this announcement as a reminder to put serious thought into whether they have identified and understood their GDPR obligations, whether they have satisfied those obligations, and whether they have a plan for addressing any known compliance gaps.”
Dr Guy Bunker, CTO at Clearswift:
Bunker went on to state: “The good news is that the breach was picked up relatively quickly. BA has systems in place such that it could narrow down both how the incident happened and who was affected. Unlike the TalkTalk incident where the numbers impacted changed on a regular basis, the BA team appears to have done its due diligence on the event quickly and efficiently.
“Finding a second attack is not uncommon. And there may well be more. The sophisticated attacks which are now carried out by organised criminals are designed to have multiple aspects – such that if one is discovered there are secondary or tertiary attacks ongoing. When finding one vulnerability in an IT infrastructure it will be exploited to its maximum, and within that exploit further discovery will be carried out as to what other pieces of malware can be introduced. Once an infection takes hold of an environment, it often becomes easier to start from scratch to rebuild it rather than try and take out the malware infections one by one – where, if you miss one as it is hibernating, you could end up back at square one in a few weeks or months’ time.
David Francis, IT Security Consultant at KCOM:
“The BA fine demonstrates the paramount importance to business of getting security right. Data access must be controlled with the greatest of care, for the sake of customer privacy first and for the health and reputation of the business second.
“It’s essential to be able to identify when a breach has taken place, who accesses what information and where it has moved. Endpoint protection is not enough – the data is the target and the asset, so it’s data that must be secured, with as much granular insight into access privileges as possible. Only then can companies be rapidly notified of unauthorised access, and have a better chance of identifying the source of the leak at speed.
“Once data is out of the network, it can never be recalled. For that reason, and as the scale of this fine reinforces, identity and access management (IAM) must now be viewed as top-level strategic priorities, not a backroom concern. IAM is now a board-level issue, and CIOs need to ensure they have the right tools in place and the right partners in their network to ensure they can reassure the C-suite that security will not let the organisation down.
“IAM is essential to business continuity and customer privacy – let BA be a call to arms for businesses of all kinds.”
Saryu Nayyar, CEO at Gurucul:
Ashley Hurst, Partner and Head of Tech, Media and Comms at international legal practice Osborne Clarke:
The proposed fine will also provide encouragement for a rapidly growing group of claimant personal injury lawyers looking to bring post-data breach claims for compensation. It is often difficult to attribute a data breach to a breach of the GDPR and even more difficult to prove that such a breach has led to damage and distress, so it will be interesting to see whether the ICO will make any comment about this.
Over the last year, speculation has been rife regarding the approach that the ICO will take to fines. It now clear that the ICO will not be gradually scaling up from its previous £500,000 maximum: the proposed £183.39m penalty is equal to 1.5% of British Airways’ worldwide turnover of £12,226m in 2017. This is still substantially less than the possible maximum GDPR fine of 4% of worldwide annual turnover but is still startling and demonstrates more than ever that cybersecurity needs to stay on the board agenda.
Prior to this announcement, the total value of all fines issued under the GDPR across all EU member states had amounted to €56 million. This includes a €50 million fine by the French DPA (CNIL) against Google for what the CNIL considered to be a lack of transparency, inadequate information and lack of valid consent in relation to Google’s use of personal data for the purposes of personalising advertisements, as discussed in our recent article.
When the decision is finally published, this case should provide some long-awaited clarity regarding the ICO’s exercise of its enforcement powers and in particular what it considers to be “appropriate technical and organisational measures” to protect personal data, which is the key technical standard littered throughout the GDPR.”
Laurie Mercer, Security Engineering Lead at HackerOne:
Cyber criminals are continuously probing your websites and APIs, continuous security is required to match their abilities and avoid such eye-watering fines.”