<img height="1" width="1" src="https://www.facebook.com/tr?id=1046809342117480&amp;ev=PageView &amp;noscript=1">

VSEC Blog: IT Security Channel News brought to you by Infinigate UK

Share the Infinigate UK Blog on LinkedIn Share the Infinigate UK Blog on Twitter Share the Infinigate UK Blog on Facebook Share the Infinigate UK Blog on Google+ Share the Infinigate UK Blog via Email

British Airways hit with a Potential £183M Fine for GDPR Data Breach

Topics: Data Protection, Data Loss Prevention, Data Breach, GDPR, General Data Protection Regulation, Data Security

Posted: 10 July 2019

GDPR Bites British Airways with a Potential Fine of £183 million fr Last Years Data Breach-1

So here we are. At that juncture which we have all be expecting, where warning and preparation meet reality. The GDPR has delivered intention of its first astronomical penalty value, with British Airways in its cross-hairs, to the tune of £183 million.

After last years high-profile data breach, it was expected that British Airways would be made an example of; and what an example it is.

The ICO (Information Commissioners Office), the UK’s supervisory authority for data protection and processing, has issued British Airways with an intention to fine. Leaving the airline with 28-days to appeal the decision.

Undoubtedly, they will, meaning that the final value of the fine could be subject to change.

How Was British Airways Breached?

In between June and September of 2018, British Airways made a public disclosure of a data breach on their website, which had affected the records of up to 500,000 customers. The data involved included names, billing addresses, email addresses and card payment information.

It took some time for details to emerge, however we now know that hackers we able to inject a modified version of a JavaScript library, which is normally used by the site, so that it would skim data from their payment pages.

This affected their website, mobile app and some third-party booking servers.

Post-breach, some of those affected were forced to cancel payment cards which had been exposed in the breach.

[You may also be interested to read "3 Worst Data Breaches From 2018 & How to Avoid Them"]


How Have the ICO Come to this Number?

That is a great question, which during an appeal is likely to become clearer.

What we do know is that under the GDPR, a data controller can be fined a penalty of up to 4% of global revenue from the preceding year, where data breaches have impacted the rights and freedoms of data subjects.

It has often been commented both in the industry and by ICO representatives that fines are there for cases of abject failure. It can be speculated that there must be some feeling that British Airways had not taken adequate steps to prevent this breach from taking place.

[You should also check out "Data Breaches and the GDPR - 1 Year Later"]


How Can You Prevent a British Airways Style Breach?

We cannot be sure which measures British Airways had in place to prevent injected malicious code from being placed into their site; or how the hackers were able to inject the code undetected.

However, what we would recommend in such cases is a FIM or File Integrity Monitoring solution such as Tripwire Enterprise. Such solutions can detect any changes on critical systems and alert an IT team or SOC to those changes. Plus, presenting the opportunity to revert those changes.

A breach, delivery of malicious code or unauthorised access cannot take place without some form of change on the target system; and as such any change on said systems should be treated with the highest levels of suspicion.

If there is one thing, we can take from this week’s news, it’s that the time of complacency since the GDPRs enforcement is over. The GDPR was created to make poor security preparation more expensive, something the ICO is keen to make sure British Airways and anyone else watching understands.

Data Protection for Life GDPR Data Processing

Infinigate UK
Posted by: Infinigate UK
Share via:

Subscribe to VSEC Blog Updates

Terms and Conditions:
  • When completing this form, you are indicating your consent for this processing activity. By doing this you are providing Infinigate UK with lawful consent to process your submitted personal data for one or both of the marketing purposes below:
    • We will use your details to send you blog updates.
    • We will match your answers to areas of interest which believe you have and may send you additional marketing materials related to those areas.
  • We will keep your personal data for nine months, upon which we will delete your personal data unless you have consented to further processing or we have legitimate interests to retain it. You are free to withdraw your consent at any time by contacting our marketing department or using one of our unsubscribe links in our communications.
  • In some cases where you indicate consent for supplying you with additional promotional marketing material, we will share your personal data with one of our reseller partners, should your areas of interest match a solution or service they provide. We instruct all our reseller partners to communicate this data transfer with data subject affected.
  • Your personal data is stored in a marketing automation solution database, access to this is limited to authorised users and all necessary steps to ensure data security is maintained.

For further information about this form, your rights under the General Data Protection Regulation or how to exercise them, please contact Infinigate's marketing department here.

Popular Posts