Following an extensive investigation, the Information Commissioner’s Office (ICO) has issued a notice of its intention to fine British Airways £183.39 million for infringements of the General Data Protection Regulation (GDPR). As reported by Risk Xtra in great detail at the time, the proposed fine relates to a cyber incident notified to the ICO by British Airways in September 2018.
This incident in part involved user traffic to the British Airways website being diverted to a fraudulent site. Through this false site, customer details were harvested by the attackers. The personal data of approximately 500,000 customers were compromised in this incident, which is believed to have begun in June last year.
The ICO’s investigation has found that elements of sensitive information (including log-in, payment card and travel booking details as well names and addresses) was compromised by poor security arrangements at the company, .
Information Commissioner Elizabeth Denham said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it’s more than an inconvenience. That’s why the law is clear – when you’re entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they’ve taken appropriate steps to protect fundamental privacy rights.”
British Airways – which is owned by the International Airlines Group (IAG) – has co-operated with the ICO investigation and has made improvements to its security arrangements since these events came to light. The company will now have an opportunity to make representations to the ICO as to the proposed findings and sanction.
The ICO has been investigating this case as lead supervisory authority on behalf of other EU Member State data protection authorities. It has also liaised with other regulators. Under the GDPR ‘one stop shop’ provisions, the data protection authorities in the European Union (EU) whose residents have been affected will also have the chance to comment on the ICO’s findings.
The ICO will consider carefully the representations made by the company and the other concerned data protection authorities before it takes its final decision.
Reaction from BA and IAG
Reporting on the BBC website, technology correspondent Rory Cellan-Jones has stated that Willie Walsh, CEO of IAG, has confirmed British Airways will be making representations to the ICO. “We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals,” said Walsh.
Cellan Jones has also quoted Alex Cruz, British Airways’ chairman and CEO, who has said the airline is “surprised and disappointed” in the ICO’s initial finding. “British Airways responded quickly to a criminal act to steal customers’ data,” said Cruz. “We’ve found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologise to our customers for any inconvenience this event caused.”
Egress CEO Tony Pepper commented: “This news brings into stark focus the severity with which the ICO is addressing data compliance under the GDPR. The total proposed fine of £183.39 million, which is equivalent to 1.5% of British Airways’ global turnover for the financial year ending December 31, dwarfs the previous highest fine of £500,000 given to Facebook for serious breaches of data protection law in 2018.”
Pepper continued: “This fine for British Airways not only puts an end to any thoughts that the ICO lacked teeth in its pursuit of organisations putting customer data at risk, but also serves as a reminder to any company suffering from a complacent attitude to compliance that the handling, processing and storing of customer data should be its foremost priority. It could very well be the first of many large fines issued by the ICO and will most definitely serve as a wake-up call to organisations that offer goods or services to – or monitor the behaviour of – EU data subjects.”
Breaking down the numbers
Colin Truran, principal technology strategist at Quest, observed: “The British Airways-AIG data breach heralds the start of the GDPR being applied to business failures in protecting our personal data. It’s worth breaking down the numbers for a better perspective. This is a record fine and a significant one for an industry that struggles to maintain a steady profit. However, it equates to only £366 per person and, based on what Facebook are willing to pay for the use of far less critical information, this doesn’t seem that much.”
Truran went on to state: “We need to understand that this is meant to be a slap on the wrist for the uncontrolled exposure of sensitive information for which we will never really know how it’s been used. What we really need to understand is why the failure happened, what can be learned from this episode and what measures British Airways has implemented since then to improve the situation. We would also like to know what staved the hand of the ICO in not going for the full 4%, was it based on the measures British Airways had in place, the action it took to identify and notify individuals as well as it’s co-operation with the ICO. These early cases are vital to help business understand the risks they face and how they can mitigate them for themselves and, of course, their customers.”
Truran concluded: “British Airways isn’t out of the woods yet. Outside of an appeal, this may not be the end of it for IAG. Under the GDPR, they will also be subject to a much easier litigation process from affected individuals or ‘ambulance chasers’ wishing to act on their behalf.”
Ilia Kolochenko, founder and CEO of web security company ImmuniWeb, has commented: “The £183 million fine doesn’t really terminate the legal ramifications of British Airways related to the website hack. Other parties may still have valid claims against British Airways. It’s now important to determine whose negligence or misconduct ultimately caused or facilitated the breach. If British Airways was relying only on automated vulnerability scanning for a business-critical application, a cyber security supplier who suggested such a reckless strategy may be liable under certain circumstances and British Airways may cross-claim the damages.”
Kolochenko also said: “In any case, this is a gloomy reminder that web and mobile application security is essentially important and, if negligently disregarded, may cost hundreds of millions. Prompt reaction, investigation and rapid notice will not be good enough to avoid formidable fines. Prevention is much better than cure from financial, reputational and operations standpoints.”
Security is a C-Suite issue
David Francis, IT security consultant at KCOM, informed Risk Xtra: “The British Airways fine demonstrates the paramount importance to business of getting security right. Data access must be controlled with the greatest of care for the sake of customer privacy first and for the health and reputation of the business second. It’s essential to be able to identify when a breach has taken place, who accesses what information and where it has moved. Endpoint protection is not enough – the data is the target and the asset so it’s data that must be secured, with as much granular insight into access privileges as possible. Only then can companies be rapidly notified of unauthorised access and have a better chance of identifying the source of the leak at speed.”
Francis added: “Once data is out of the network, it can never be recalled. For that reason, and as the scale of this fine reinforces, identity and access management (IAM) must now be viewed as top-level strategic priorities, not a backroom concern. IAM is now a Board-level issue, and CIOs need to ensure they have the right tools in place and the right partners in their network to ensure they can reassure the C-Suite that security will not let the organisation down. IAM is essential to business continuity and customer privacy. The British Airways episode should be a call to arms for businesses of all kinds.”
Dr Guy Bunker, CTO at cyber security company Clearswift, observed: “While there have been a number of breaches since the GDPR was enforced last year, this is one where the affected business has admitted what has happened and believes it ticks all the boxes when it comes to personal data being compromised. Consequently, this is the first major ICO fine for a GDPR breach in the UK, which shows the ICO is willing to fine large companies for losing personal information. British Airways will now have to redouble its efforts to prove that it and its suppliers have a malware-free infrastructure in order to begin the process of rebuilding trust with its customers. The company is being fined 1.5% of its worldwide turnover in 2017, which is near the 2% maximum fine.”
Bunker went on to state: “The good news is that the breach was picked up relatively quickly. British Airways has systems in place such that it could narrow down both how the incident happened and who was affected. Unlike the TalkTalk incident where the numbers impacted changed on a regular basis, the British Airways team appears to have done its due diligence on the event quickly and efficiently.”
Also, Bunker told Risk Xtra: “Finding a second attack is not uncommon. Indeed, there may well be more. The sophisticated attacks which are now carried out by organised criminals are designed to have multiple aspects such that if one’s discovered, there are secondary or tertiary attacks ongoing. When finding one vulnerability in an IT infrastructure it will be exploited to its maximum, and within that exploit further discovery will be carried out as to what other pieces of malware can be introduced. Once an infection takes hold of an environment, it often becomes easier to start from scratch to rebuild it rather than try and take out the malware infections one by one – where, if you miss one as it’s hibernating, you could end up back at Square One in a few weeks or months’ time.”
Fine “could have been more like £520 million”
Colin Tankard, managing director of data security company Digital Pathways, told Risk Xtra: “Actually, British Airways is lucky the fine’s restricted to £183 million. The ICO has the power to levy up to 4% of turnover and, in the case of this company which had an estimated turnover of revenue in the region of £13 billion last year, it could have been more like £520 million. It’s likely that the ICO took into consideration the facts that British Airways declared and the loss quickly and that, to date, it would seem no users have had their details compromised.”
Tankard continued: “This breach has been associated with poor security arrangements within British Airways and the possibility of a ‘man in the middle’-style attack with some user traffic being sent to a fraudulent site. From the information given by British Airways and other sources, it would appear the hack was due to rogue code being added to the British Airways website. When a user went to complete a booking, unbeknown to them they were taken to a ‘lookalike’ site where they were asked to enter their details and credit card numbers, including the all-important three-digit CVV number on the reverse. Rogue code could come from an ‘insider developer’ adding the redirect, or it could be through a third party connection, such as adverts allowed by British Airways to be placed on its website by companies who pay for each impression. Rather like Google Adwords, for example.”
Further, Tankard stated: “What’s evident is that British Airways did not check the code being placed on its web servers, nor did it have monitoring to detect unusual behaviour such as larger than expected external connections or a drop in users completing a booking. It’s so easy for companies to look to make supplementary revenue from their website by selling advert space, but without controls this episode is precisely what can happen. All companies must take greater control of a user’s journey through their systems, whether that be a booking process, registration or a sale and also be aware that someone could be diverting people from the main system to something else.”
In conclusion, Tankard observed: “Organisations should consider installing Web Application Firewall software, as well as having better user and system behaviour monitoring to alert on unusual behaviour, either involving data flows, unknown destinations or administrator connections. Access at unusual times of the day or increased data touch are other red flags. Monitoring must be in place otherwise businesses will have no idea data is being extracted until someone tells them. Perhaps, at last, corporate organisations will stop paying data security lip service and actually put some money where their mouths are and ensure all systems are properly encrypted and secure.”
David Smith, head of GDPR technology at SAS UK & Ireland, explained: “This high-profile ICO fine is the line in the sand many in the industry have been expecting for months. GDPR compliance has been a slow process for many, but the penalties are now clear. Businesses cannot just wait for the hammer to fall. They need to ensure they have full control over the personally identifiable data they hold. Ensuring compliance means understanding what data you hold and where it resides. For most companies, though, that’s a huge task. Data stores often run to many petabytes and can be spread over multiple locations. Organisations need to equip themselves with automated data governance tools such that they might quickly analyse their infrastructure and flag up potential risks before finding out about them the hard way.”
Smith asserts that data analysis tools can play a key role in helping companies to understand their data landscape. Automated categorisation of data values can spot at-risk data faster and more accurately, helping teams to direct their security and governance efforts more intelligently.
“Metadata and model governance are also essential for explaining to customers how their data is being used. The GDPR requires the ability to explain to customers how they’re impacted by automated actions (unless exceptions apply). If you don’t understand the lineage of your data and how it’s used in analytical models (as well as which version of the analytical model was used), then you’ll not be able to provide that explanation. In short, and as this fine proves, compliance is essential. Companies need automated help to be compliant.”
Organisations need to be compliant
James Hall, commercial director (Europe) at digital communication and security specialist Striata, informed Risk Xtra: “A fine this big underlines the fact that data breaches are no longer just a reputational and revenue risk to organisations, but instead will have a serious impact on the bottom line.”
Hall added: “When it comes to data privacy, organisations must ensure that they’ve exercised due diligence in protecting customer information. Some of the security measures required by the GDPR include encrypting data, ensuring systems and services prioritise confidentiality, providing the ability to restore access to personal data and maintaining a process for evaluating system security.
“Ultimately, it’s in an organisation’s best interests to be GDPR-compliant. If organisations are serious about being compliant, the knock-on effect means that they’ll invest in better security and better data governance, massively reducing reputational and financial risk in the event of a breach episode.”