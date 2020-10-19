British Airways has been fined £20m for failing to protect the personal and financial details of more than 400,000 customers, according to Business Live. This follows an investigation by the Information Commissioner’s Office (IC)) after the airline was the subject to a cyber-attack, which it did not detect for more than two months, in 2018. The attacker is believed to have potentially accessed the personal data of approximately 429,612 customers and staff, including names, addresses, payment card numbers, and CVV numbers of 244,000 BA customers. ICO investigators found that BA did not detect the attack on 22 June 2018 themselves but were alerted by a third party more than two months afterward on 5 September. Once they became aware BA acted promptly and notified the ICO. Although this fine is the biggest issued by the ICO to date, it is still just a fraction of the £183 million fine the organisation originally said it intended to issue in 2019.
EXPERTS COMMENTS
Joseph Carson, Thycotic, Chief Security Scientist
October 19, 2020
The recent news recording another huge ICO (Information Commissioners Office) fine of £20m this time against British Airways for failing to protect the personal and financial details of more than 400,000 of its customers is another reminder to protect and secure privileged access as cybercriminals will allow look to gain privileged access as it allows them to move around the network and gain acce ....The recent news recording another huge ICO (Information Commissioners Office) fine of £20m this time against British Airways for failing to protect the personal and financial details of more than 400,000 of its customers is another reminder to protect and secure privileged access as cybercriminals will allow look to gain privileged access as it allows them to move around the network and gain access to sensitive files or databases including employee and customers personal data. The investigation found that the attacker discovered a username and clear text password of a privileged domain administrator account left in an unsecured file that once in the hands of a criminal hacker literally means it is game over. Organizations must prioritize privileged access security and never leave domain admin accounts unprotected in clear text within a file otherwise it is an easy win for the criminals. Our job in cybersecurity is to make it difficult for criminals to protect the business and customers data.
Aman Johal, Lawyer and Director, Your Lawyers
October 19, 2020
It is concerning that British Airways has been fined just £20m after a significant climb down from the ICO’s provisional intention to fine the airline £183m following their 2018 data breach. A reduction of £163m – almost 90% - means the final fine is a drop in the ocean for BA. The fact that this agreed fine is a clear admission of liability from BA now cannot be ignored. There is now no e ....It is concerning that British Airways has been fined just £20m after a significant climb down from the ICO’s provisional intention to fine the airline £183m following their 2018 data breach. A reduction of £163m – almost 90% - means the final fine is a drop in the ocean for BA. The fact that this agreed fine is a clear admission of liability from BA now cannot be ignored. There is now no excuse in BA defending the compensation action any longer, and they must agree to compensation settlements immediately. More delays in doing the right thing serves only to further damage the BA brand following numerous scandals in recent years. The change in CEO is an opportunity for the airline to show proper leadership and get a hold of BA’s dwindling reputation. Resolving the compensation action is a key part of this. The ICO’s earlier record intention to fine was a landmark moment. It set the standard as a candid warning that is so desperately needed at a time when large scale data breaches are rampant. I am concerned that such a significant climb down undermines the GDPR and its ability to act as a credible deterrent to big business by sending the message that they can orchestrate their way out of paying substantial financial penalties. If this is to be a trend, the only real deterrent against large corporations breaching the GDPR will be the pursuit of large group action claims for compensation, like the one against British Airways. At Your Lawyers, we will not be climbing down and, whilst we understand the challenges faced by the aviation industry from COVID 19, our legal action is now even more significant in making sure that the airline is held to account.
Matt Walmsley, EMEA Director, Vectra
October 19, 2020
Attackers invariably need to seek and gain privileged access. The details of the BA attack contained in the ICO’s report should serve as a salutary yet cautionary tale for security leaders and architects. Single-factor authentication VDI remote desktop services, storage of password in plain text and hardcoding credentials in scripts aiding lateral movement and privilege escalation, and a lack o ....Attackers invariably need to seek and gain privileged access. The details of the BA attack contained in the ICO’s report should serve as a salutary yet cautionary tale for security leaders and architects. Single-factor authentication VDI remote desktop services, storage of password in plain text and hardcoding credentials in scripts aiding lateral movement and privilege escalation, and a lack of network monitoring and detection capabilities to detect privilege abuse and attacker movement, all stand out in today’s £20M GDPR penalty notice filing. All defenses are ultimately imperfect, which is why early detection and response to an active attacker inside your organisation can make the difference between a contained security incident or a damaging and costly breach.
Stuart Reed, UK Director, Orange Cyberdefense
October 19, 2020
While the size of the fine may be smaller than many people expected, the impact on the airline in terms of customer trust could have an even bigger impact than the financial cost. The ICO found that the airline was processing a significant amount of personal data without adequate security measures in place is particularly damning. Organisations are expected to demonstrate the best security practi ....While the size of the fine may be smaller than many people expected, the impact on the airline in terms of customer trust could have an even bigger impact than the financial cost. The ICO found that the airline was processing a significant amount of personal data without adequate security measures in place is particularly damning. Organisations are expected to demonstrate the best security practice at all times. It is imperative that they recognise that the onus is on them to make sure they have done everything they can to protect customer data. Otherwise, the consequences can be complex and extremely costly. Firms must adopt a layered security approach that includes people, processes, and enabling technologies to reduce the risk, minimise the impact of a breach should one occur, and demonstrate diligence and best practice to both customers and governing bodies.
Jake Moore, Cybersecurity Specialist, ESET
October 19, 2020
Fines are, without a doubt, a necessary part of the data breach chain. Organisations must understand they cannot get away with compromising personal data – which will have potentially cost customers more than this initial fine. While some organisations view these fines simply as a potentially inevitable business cost, the fine issued must represent the real cost to customers and the situation th ....Fines are, without a doubt, a necessary part of the data breach chain. Organisations must understand they cannot get away with compromising personal data – which will have potentially cost customers more than this initial fine. While some organisations view these fines simply as a potentially inevitable business cost, the fine issued must represent the real cost to customers and the situation they have been placed in. Significant consequences to businesses are of the utmost importance at the current moment, as the rapid, potentially haphazard move to remote working has caused a shift in priorities for some – with organisations potentially neglecting data protection amongst the chaos.
