The 2018 data breach that exposed the personal information of over 400,000 British Airways customers will cost the company £20 million, in the form of one of the largest GDPR fines to date. The UK ICO’s decision found that the travel giant was negligent due to “poor security arrangements” creating a hole in the network that was exploited by attackers for two months before being discovered.
UK ICO settles on £20 million
UK ICO Information Commissioner Elizabeth Denham said: “People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure. Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20m fine – our biggest to date.”
The case remained with the UK ICO as the breach began in mid-2018, at which time the United Kingdom was still part of the EU, and required final approval by the EU’s other data protection agencies (DPA). The GDPR fine amount considered the security measures that were available at the time of the breach, along with the distress caused to the airline’s customers as well as the impact of COVID-19 on the company’s operations.
The data breach is believed to have negatively impacted approximately 429,612 of the airline’s customers and employees. The hackers were able to gain access to administrator accounts and payment systems, using this privileged status over a period of about two months to exfiltrate a variety of sensitive information: full names, residential addresses, credit card numbers, and the security CVV numbers found on the back of cards. The attackers also breached approximately 612 BA Executive Club accounts (the airline’s rewards program).
The breach began in July of 2018, but BA was not aware of it until notified by a third party in September. The investigation by UK ICO listed a number of specific points of failure that BA should have reasonably been expected to shore up prior to the breach: limiting the internal network access that individual user accounts had to critical tools and information, not undergoing regular testing or cyberattack simulations, and not implementing multi-factor authentication within the company network.
Another piece in the GDPR fine pattern
The British Airways GDPR fine has been a long time in the making; the UK ICO first committed to fining the airline in January 2019 but has taken over a year and a half in settling on the exact amount. £20 million is substantially less than the initial £183 million proposed in June of 2019, which would have more than tripled Google’s record £50 million fine from France’s CNIL for its mishandling of its personalized ad tracking service. ICO UK also cut a great deal of slack on the deadline, which was not supposed to go beyond April 2020 prior to the onset of the pandemic. The airline can thank a successful appeal plus hardship status owed to the COVID-19 crisis for the greatly reduced amount, which falls below 1% of its total annual turnover. Still, the amount will clock in as the fourth-largest GDPR fine behind the ones delivered to Google, H&M’s German customer service center and Italian telecoms giant TIM.
After two and a half years, GDPR fine and penalty patterns are still coming into focus. This ruling by the UK ICO does reinforce the idea that organizations will be held to the expected security standards of the time and can expect substantial fines (eventually) if they are caught out with inadequate defenses. Sameer Malhotra, CEO and Founder of TrueFort believes that organizations are simply lagging behind threat activity too often and need the most modern solutions available to keep up: “Dwell time is the most important issue to reduce and eliminate when it comes to hackers living off the land, but undiscovered attacks and data theft are all too common. Unfortunately, most enterprises lack the behavioral and real-time analytics needed to uncover unusual or unauthorized access or to detect abnormal behaviors around their critical applications and data sources. This leads to the type of prolonged exposure you have in this instance with British Airways.”
Are massive GDPR fines the solution?
Of course, the airline also managed to drag out an appeal for over a year (aided beyond that by the sudden appearance of the pandemic) and ended up paying what amounts to only a very small fraction of its annual turnover, so one must wonder if even the largest of these fines are really providing the teeth necessary to convince organizations to spend more heavily on security solutions. Ilia Kolochenko, Founder & CEO of ImmuniWeb, also believes that even this relatively modest cost will not end up being any kind of a burden on the company: “The road to hell is paved with good intentions. BA will likely shift the £20 million cost to passengers and employees, as most other companies would probably do. During the pandemic, exemplary penalties aimed to strongly deter others, likely mean more layoffs and less quality of service. While cybersecurity budgets will probably remain intact or even continue their decline. Moreover, in large organizations, even £20 million is just a fraction of the overall security budget thus it may simply mean that paying a “record” penalty is cheaper than investing into a robust and holistic cybersecurity program.”
So what is the answer? Kolchenko does not see maximum GDPR fines or even incarceration for CEOs as making a difference. Instead, he suggests focusing on pouring resources into taking down the hacking groups responsible for these breaches: “To make our digital lives safe and secure, governments should also consider supporting cybersecurity efforts of companies and organizations. This includes efficient and effective cybercrime investigation units, capable of apprehending hackers, send them to jail and recover at least a part of the stolen loot or disgorge their illicit profits. With the mushrooming data protection laws and regulations, from overhyped GDPR to relatively young CCPA, harsh penalties against companies that create jobs and pay taxes – are counterproductive when the state is toothless against cyber gangs that operate in impunity.”
While it’s possible that this approach may be more effective than GDPR fines in reducing hacking complications, it does not account for two other substantial data breach causes: employee error and insider compromise. A report from early 2020 found that 90% of data breaches reported to the UK ICO were attributed to an end user error. Misconfigurations and improper updating/patching are common mistakes that create openings without any involvement by a threat actor. And while insider threats remain relatively minor in the UK, globally it is on the rise as a breach cause with both the amount of incidents and the expected cost rising by double-digit percentages globally in recent years.