British Airways has been fined a record-breaking £20m, plus has paid out an undisclosed sum to settle a group action, for breaching data protection law. Its system was hacked into, the thieves taking customers’ payment card details as they entered them, including the CVV codes.
Over 420,000 people were affected. This number would have been smaller, except that the breach went undetected for two months. An external security researcher noticed it. It is not clear whether and when BA would have noticed it itself, and this was considered a severe failing.
It may have been a compromise of their booking site, or of a third-party provider of code used in the booking site. It may have been an insider, or an outsider. But there were measures BA could easily and cheaply have taken which would have reduced the risk, such as:
- continually vetting the third-party code they were using;
- limiting access;
- rigorous testing (simulating cyber-attacks); and
- using multi-factor authentication.
The two main failures of BA were: (a) not investing enough time and money in their system security; and (b) not noticing the breach for two months. They do not appear to have been on the ball.
The ICO initially said it was going to fine them £183m, but reduced it to £20m, in part because of the financial hardship airlines are suffering, at present, due to the pandemic. They may not be as lenient in the future.
It is clear that the ICO is going to enforce the data protection law rigorously. Personal data is very valuable. Cyber criminals are getting cleverer. The victims of these attacks suffer anxiety as well as potential loss.
Protect your data
The law requires companies to take ‘appropriate’ technical and organisational measures to protect personal data. The ICO will be more lenient if you have invested in your system security to an appropriate level. The ICO felt BA had not done this, and it was not acceptable to not have done so.
The ICO said “People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure”.
Ticketmaster was similarly fined £1.25m for (a) failing to assess the risk of using a chat-bot, hosted by a third party, on its payment page, (b) failing to put in place measures to negate that risk, and (c) failing to identify the source of suggested fraudulent activity in a timely manner. Again, payment card details were stolen. The ICO said the fine “will send a message to other organisations that looking after their customers’ personal details safely should be at the top of their agenda”.
If you need to talk to us on this issue please contact us in absolute confidence.