The Information Commissioner’s Office (ICO) has proposed a fine of £183 million for British Airways (BA) in relation to a cyber attack on their systems that led to significant losses of personal data of some 500,000 customers.
The BA hack is understood to have begun in June 2018 and was reported to the ICO, by BA in September 2018.
This is a proposed fine so BA will have an opportunity to make representations to the ICO as to the proposed findings and sanction.
Methodology of the BA hack
Following an investigation, the ICO has found that a variety of personal data was compromised by poor security arrangements within BA, which affected log in, payment card, and travel booking details as well name and address data about BA customers. Because many people reuse login credentials, BA customers may have also compromised other accounts and log in details.
According to reports, the hackers altered a third-party software script on BA’s website. Over a 15-day window this script captured personal and financial data (names, home addresses, credit card numbers and 3-digit CVV codes). This happened in real time as customers entered them, rather than exfiltrating data from BA’s existing database. The script then transmitted that data to a database controlled by the hackers. In this way, the hackers were able to obtain CVV codes, even though BA deliberately did not store these in its servers.
The hackers methodology reduced the risk of detection and masked their activities.
Consequences of the data breach
The ICO has conducted an extensive investigation. It found “poor security arrangements” at BA, but has acknowledged that BA have made security improvements since the hack.
In calculating the level of fines, the ICO took into account “the seriousness of the incidents, including the number of people affected, the types of data involved, the degree to which there were failings by the companies and the measures they took to co-operate with the ICO and mitigate the harm to impacted individuals.” These factors give businesses scope to mitigate any potential fines from the ICO through preparation and effective incident response.
The BA proposed fine is approximately 2-3% of their respective global revenue, compared to a maximum of 4%.
The ICO has been investigating the case as the lead supervisory authority on behalf of other data protection authorities in other EU Member States. The ICO has liaised with other authorities in assessing the level of the fines. Under the GDPR’s “one-stop shop” rules, the other EU authorities whose data subjects have been affected will also be able to respond to the ICO’s initial proposals.
In addition to the hefty ICO fine, affected customers are also able to bring a group litigation for compensation.
What should your business do now in light of the BA hack?
This was a sophisticated attack, but shows the levels hackers will go to, and the consequences of such an attack.
Businesses of all sizes should have robust security policies in place to reduce the risk of data breaches and cyber-attacks. They should also have an incident response plan showing how an incident response team will respond to a data breach in terms of triage, containment, eradication, notification, reporting and recovery.
The plan should set out sources of external support e.g. cyber consultants, lawyers, PR and forensic advisors. There should be a framework for deciding when it’s necessary to notify the ICO or affected data subjects following a cyber-attack that causes a personal data breach.
How can we help you with incident response?
We can review and prepare internal policies to help businesses create suitable internal governance. We can help businesses assess data breaches and cyber security risks and provide incident response. We tailor support based on a client’s own capabilities and resources.
We also support clients involved in data and cyber breaches, including advising on strategy, notification of the ICO, preparing detailed reports of the incident and drafting communications to affected customers and press releases.