Published on July 8th, 2019 📆 | 1755 Views ⚑
0British Airways Hit With Record Fine Following 2018 Cyberattack
U.K.-based airline British Airways (BA) is facing a record fine of £183 million ($229 million) after suffering a cyberattack in October last year. The U.K. Information Commissionerâs Office (ICO) said it was the biggest penalty it had ever issued and itâs the first to be made public following the implementation of the EU Update to Data Protection Regulation (GDPR).
According to the BBC, BAâs owner IAG was âsurprised and disappointedâ by the fine.
BA cyberattack and the GDPR fallout
Since coming into place in May 2018, the GDPR stipulates that firms must report a breach within 72 hours. When BA was hit by a cyberattack in September last year, the airline took just one day to inform its customers that details from around 380,000 booking transactions had been stolen, including bank card numbers, expiry dates and cvv codes.
It didnât take long to find out that these details were taken via malicious script designed to steal financial information by skimming BAâs payment page before it was submitted. This attack, thought to be perpetrated by the same attackers that hit Ticketmaster, Magecart, would allow attackers to see peopleâs details as they were entered on the page.
Previously, the largest fine issued by the ICO was £500,000. But under GDPR, firms can be fined up to 4% of turnover. In BAâs case, the maximum fine would be £500 million. And thatâs in addition to the class action lawsuits becoming commonplace among disgruntled customers.
Will BA appeal the GDPR fine?
BA has 28 days to appeal the fine. So will it?
Given the airlineâs reaction, it seems so. And chief executive of IAG, Willie Walsh, has confirmed this. "We intend to take all appropriate steps to defend the airline's position vigorously, including making any necessary appeals," he said.
British Airways' chairman and chief executive, Alex Cruz, defended the airlineâs reaction to the cyberattack. "British Airways responded quickly to a criminal act to steal customers' data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft.â
BAâs GDPR fine: The impact
It is an âextraordinarily huge fineâ showing the true cost of GDPR, says Ian Thornton-Trump, security head at AMTrust Europe. âSlowly and painfullyâfor BAâthe impact of GDPR will be realized by companies. Even if BA and the ICO settle on a lower number, the fine will still be significant, impactful and dissuasiveâexactly the intent of GDPR.â
It could also set a precedent for future GDPR fines. Regardless of the result of the appeal, itâs clear the regulator means business and is not afraid to punish companies for data breaches. And size isnât the key: Itâs the nature of the data compromised.
Thornton-Trump says investors and executives âwill be freaking out.â However, he points out that the airline will improve security and âhas to a certain extent already.â He, therefore, thinks investing in BA isnât actually a bad idea: âI would invest in BA as a long-term strategy as they are about to take âcustomer security way more seriously than ever before.â
BA GDPR fine: A wake-up call
But at the same time, the significant fine shows firms have to invest in the services they use. âThis is a huge wake-up call to owners of websites that collect personal and credit card data,â Thornton-Trump says.
âWhat companies need to realize is the lack of investment in their customer-facing technology platforms, complexity and technical debt now have tangible impact to bottom line results.â
He says executives take note: âFailure to invest and secure may cost your company tens of millions.â
BA, like many international airlines and other organizations with widely distributed platforms, has a lot of "technology real estate" to manage, says Nicola Whiting, chief strategy officer at Titania. âTheir security and network operations centers are often tied up with basic housekeeping on networks of this scale, which can create conflict with the commercial drives of the business. Often this leads to third-party apps or services plugging the gapâwhich can create unexpected routes to customer data.â
Whiting thinks the ICOâs fine will make organizations and businesses look more carefully at "data risk" when evaluating potential sales, marketing or customer service gains.
Thornton-Trump agrees. âPen tests, audit and road maps for security improvements are all going to become major priorities. This is a high stakes data security poker table and the dealer just doubled down.â
">
U.K.-based airline British Airways (BA) is facing a record fine of ÂŁ183 million ($229 million) after suffering a cyberattack in October last year. The U.K. Information Commissionerâs Office (ICO) said it was the biggest penalty it had ever issued and itâs the first to be made public following the implementation of the EU Update to Data Protection Regulation (GDPR).
According to the BBC, BAâs owner IAG was âsurprised and disappointedâ by the fine.
BA cyberattack and the GDPR fallout
Since coming into place in May 2018, the GDPR stipulates that firms must report a breach within 72 hours. When BA was hit by a cyberattack in September last year, the airline took just one day to inform its customers that details from around 380,000 booking transactions had been stolen, including bank card numbers, expiry dates and cvv codes.
It didnât take long to find out that these details were taken via malicious script designed to steal financial information by skimming BAâs payment page before it was submitted. This attack, thought to be perpetrated by the same attackers that hit Ticketmaster, Magecart, would allow attackers to see peopleâs details as they were entered on the page.
Previously, the largest fine issued by the ICO was ÂŁ500,000. But under GDPR, firms can be fined up to 4% of turnover. In BAâs case, the maximum fine would be ÂŁ500 million. And thatâs in addition to the class action lawsuits becoming commonplace among disgruntled customers. Â
Will BA appeal the GDPR fine?
BA has 28 days to appeal the fine. So will it?
Given the airlineâs reaction, it seems so. And chief executive of IAG, Willie Walsh, has confirmed this. "We intend to take all appropriate steps to defend the airline's position vigorously, including making any necessary appeals," he said.
British Airways' chairman and chief executive, Alex Cruz, defended the airlineâs reaction to the cyberattack. "British Airways responded quickly to a criminal act to steal customers' data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft.â
BAâs GDPR fine: The impact
It is an âextraordinarily huge fineâ showing the true cost of GDPR, says Ian Thornton-Trump, security head at AMTrust Europe. âSlowly and painfullyâfor BAâthe impact of GDPR will be realized by companies. Even if BA and the ICO settle on a lower number, the fine will still be significant, impactful and dissuasiveâexactly the intent of GDPR.â
It could also set a precedent for future GDPR fines. Regardless of the result of the appeal, itâs clear the regulator means business and is not afraid to punish companies for data breaches. And size isnât the key: Itâs the nature of the data compromised.
Thornton-Trump says investors and executives âwill be freaking out.â However, he points out that the airline will improve security and âhas to a certain extent already.â He, therefore, thinks investing in BA isnât actually a bad idea: âI would invest in BA as a long-term strategy as they are about to take âcustomer security way more seriously than ever before.â
BA GDPR fine: A wake-up call
But at the same time, the significant fine shows firms have to invest in the services they use. âThis is a huge wake-up call to owners of websites that collect personal and credit card data,â Thornton-Trump says.
âWhat companies need to realize is the lack of investment in their customer-facing technology platforms, complexity and technical debt now have tangible impact to bottom line results.â
He says executives take note: âFailure to invest and secure may cost your company tens of millions.â
BA, like many international airlines and other organizations with widely distributed platforms, has a lot of "technology real estate" to manage, says Nicola Whiting, chief strategy officer at Titania. âTheir security and network operations centers are often tied up with basic housekeeping on networks of this scale, which can create conflict with the commercial drives of the business. Often this leads to third-party apps or services plugging the gapâwhich can create unexpected routes to customer data.â
Whiting thinks the ICOâs fine will make organizations and businesses look more carefully at "data risk" when evaluating potential sales, marketing or customer service gains.
Thornton-Trump agrees. âPen tests, audit and road maps for security improvements are all going to become major priorities. This is a high stakes data security poker table and the dealer just doubled down.â
Gloss