So here we are. At that juncture which we have all be expecting, where warning and preparation meet reality. The GDPR has delivered intention of its first astronomical penalty value, with British Airways in its cross-hairs, to the tune of £183 million.
After last years high-profile data breach, it was expected that British Airways would be made an example of; and what an example it is.
The ICO (Information Commissioners Office), the UK’s supervisory authority for data protection and processing, has issued British Airways with an intention to fine. Leaving the airline with 28-days to appeal the decision.
Undoubtedly, they will, meaning that the final value of the fine could be subject to change.
How Was British Airways Breached?
In between June and September of 2018, British Airways made a public disclosure of a data breach on their website, which had affected the records of up to 500,000 customers. The data involved included names, billing addresses, email addresses and card payment information.
It took some time for details to emerge, however we now know that hackers we able to inject a modified version of a JavaScript library, which is normally used by the site, so that it would skim data from their payment pages.
This affected their website, mobile app and some third-party booking servers.
Post-breach, some of those affected were forced to cancel payment cards which had been exposed in the breach.
[You may also be interested to read "3 Worst Data Breaches From 2018 & How to Avoid Them"]
How Have the ICO Come to this Number?
That is a great question, which during an appeal is likely to become clearer.
What we do know is that under the GDPR, a data controller can be fined a penalty of up to 4% of global revenue from the preceding year, where data breaches have impacted the rights and freedoms of data subjects.
It has often been commented both in the industry and by ICO representatives that fines are there for cases of abject failure. It can be speculated that there must be some feeling that British Airways had not taken adequate steps to prevent this breach from taking place.
[You should also check out "Data Breaches and the GDPR - 1 Year Later"]
How Can You Prevent a British Airways Style Breach?
We cannot be sure which measures British Airways had in place to prevent injected malicious code from being placed into their site; or how the hackers were able to inject the code undetected.
However, what we would recommend in such cases is a FIM or File Integrity Monitoring solution such as Tripwire Enterprise. Such solutions can detect any changes on critical systems and alert an IT team or SOC to those changes. Plus, presenting the opportunity to revert those changes.
A breach, delivery of malicious code or unauthorised access cannot take place without some form of change on the target system; and as such any change on said systems should be treated with the highest levels of suspicion.
If there is one thing, we can take from this week’s news, it’s that the time of complacency since the GDPRs enforcement is over. The GDPR was created to make poor security preparation more expensive, something the ICO is keen to make sure British Airways and anyone else watching understands.
