The news that British Airways has been told by the Information Commissioners Office they face a record fine for breach of GDPR rules has come as a shock to many. It should not have. The ICO has consistently warned organisations that they faced potentially massive fines, up to 4% of their turnover, as a result of the new EU data protection rules that came into force in March 2019.
It was always likely that the ICO would look to make an example of some high-profile offenders and BA seems to have fallen into that category. The previous highest fine issued by the ICO was the £500,00 levied against both Facebook and TalkTalk. This was the maximum fine under the old legislation, but the stakes are much higher now.
The fine could have been even worse for BA, as they have currently only been informed of a fine 1.5% of their turnover, amounting to £183 million. They do have the right of appeal against the size and imposition of this indicative fine, so it may eventually be reduced. But will still undoubtedly run into the tens of millions.
BA’s customer data breach was first disclosed in September 2018 when the airline revealed that hackers had breached its computer systems to steal data relating to about 380,000 customers from its mobile app and website.
In October 2018, BA revealed that cybercriminals had stolen credit card details of 185,000 more customers in what it described as a sophisticated, malicious criminal attack that took place over a three-month period. Apart from the personal details, customers’ email addresses, card numbers, expiry dates, and card verification value numbers were likely stolen, BA warned.
To fall foul of the GDPR legislation, BA would have been found to have failed to take reasonable steps to protect their customers’ data or failed to provide evidence to the ICO that they had done so. The reputational hit to BA may cost them more even than the massive fine, if customers start to lose trust that their data is secure with the company.
It is not yet clear how the breach at BA occurred, but it is already clear that this was a catastrophic failure of internal security monitoring by BA. Not only were their systems breached, but they failed to notice this for three months or more.
There are many routes into the systems of a massive, globally spread company like BA, most likely through the weakest link of its human operators. The corporate security perimeter will extend beyond their own staff to outsourced roles like ground handling agents in dozens of countries around the world.
To protect themselves effectively a company like BA needs to adopt a radically different security mindset. This may not be possible using only their internal resources. The focus of their ICT department is to keep multiple time critical operational systems running effectively, rather than to make sure that they are completely secure.
What they really need is an external perspective that is focussed solely on security and not on operations. Internally, continuity of operations will always take priority over an invisible threat, particularly when an interruption in those operations could leave people and cargo stranded around the globe.
Behavioural monitoring software, such as the ThreatSpike AI solution, will monitor systems to build up a picture of normal traffic and spot suspicious or even just unusual activity in real time. A data breach like that suffered by BA would be identified within days or even hours and the systems could be locked down before significant damage is done.
It is nigh on impossible to stop all data breaches, and the ICO is well aware of this. If BA had been able to spot the breach with a few days and had taken immediate mitigating action, then they would have suffered a token fine or possibly no fine at all from the ICO.
The ICO has signalled that it means business, make sure that your company is not the next one to be made an example of.
Head of Cyber Security