BA Faces £183m Data Breach Fine

British Airways is facing a record fine of £183m for last year's breach of its security systems. The airline, owned by IAG, says it is "surprised and disappointed" by the penalty from the UK Information Commissioner's Office (ICO).

At the time, BA said hackers had carried out a "sophisticated, malicious criminal attack" on its website. The ICO said it was the biggest penalty it had handed out and the first to be made public under new rules. The ICO said the incident took place after users of British Airways' website were diverted to a fraudulent site. Through this false site, details of about 500,000 customers were harvested by the attackers, the ICO said.

Information Commissioner Elizabeth Denham said: "People's personal data is just that - personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience.

"That's why the law is clear - when you are entrusted with personal data, you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."

The incident was first disclosed on 6 September 2018 and BA had initially said approximately 380,000 transactions were affected, but the stolen data did not include travel or passport details.

What Information was Stolen?
The ICO said the incident was believed to have begun in June 2018. The watchdog said a variety of information was "compromised" by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information. BA initially said information involved included names, email addresses, credit card information such as credit card numbers, expiry dates and the three-digit CVV code found on the back of credit cards.

The watchdog said BA had co-operated with its investigation and made improvements to its security arrangements.
What are the New Rules?

The General Data Protection Regulation (GDPR) came into force last year and was the biggest shake-up to data privacy in 20 years.

The penalty imposed on BA is the first one to be made public since those rules were introduced, which make it mandatory to report data security breaches to the information commissioner. It also increased the maximum penalty to 4% of turnover. The BA penalty amounts to 1.5% of its worldwide turnover in 2017, less than the possible maximum. Until now, the largest fine was on Facebook for half a million pounds for its role in the Cambridge Analytica data scandal. That was the maximum allowed under the old data protection rules that applied before GDPR.

What Happens Next?
BA has 28 days to appeal. Willie Walsh, chief executive of IAG, said British Airways would be making representations to the ICO."We intend to take all appropriate steps to defend the airline's position vigorously, including making any necessary appeals," he said.

Alex Cruz, British Airways' chairman and chief executive, said the airline was "surprised and disappointed" in the ICO's initial finding.

"British Airways responded quickly to a criminal act to steal customers' data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft....We apologise to our customers for any inconvenience this event caused."

BBC:        ICO

You Might Also Read:

The BA Hack And How Not To Respond To A Cyber Attack:

How Companies Can Minimise Cyber Attack Damage:

 

 

« Wanted: Clarity About Cyber Insurance Cover
2019: Cybersecurity Is In Crisis »

CyberSecurity Jobsite
Check Point

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

SSLGURU

SSLGURU

SSLGURU bring all of the major SSL certificate vendors to one market place in order to create the world's largest SSL store with the most competitive prices.

MixMode

MixMode

MixMode's PacketSled platform delivers network monitoring, deep forensic analysis and incident response.

CipherMail

CipherMail

CipherMail provides email security products which allow organizations world wide to automatically protect their email against unauthorized access both in transit and at rest.

CNA Insurance

CNA Insurance

CNA offers a market-leading suite of cyber liability insurance products and risk control resources for businesses of all sizes.

Trustelem

Trustelem

Trustelem offers European and global companies a ready-to-use access management service that respects the principles of sovereignty, territoriality and privacy.

GitGuardian

GitGuardian

Enable developers, ops, security and compliance professionals to enforce security policies across public and private code, and other data sources as well

Mindsight

Mindsight

Mindsight is a technology consulting firm with expertise from cybersecurity to cloud, disaster recovery to infrastructure, and collaboration to contact center.

PreEmptive Solutions

PreEmptive Solutions

PreEmptive Protection hit the sweet spot between cost, convenience and functionality by helping you protect and secure your apps in a smarter way.

BlockSec

BlockSec

BlockSec is dedicated to building blockchain security infrastructure. The team is founded by top security researchers and experiencedexperts from both academia and industry.

Cyber1

Cyber1

CYBER1 is a leader in cyber security advisory and solutions. We are uniquely placed to help customers achieve cyber resilience and thus, safeguard reputation and value.

Netox

Netox

Netox is a comprehensive IT service provider that combines IT support services, IT solutions and specialist services; specializing in cybersecurity solutions.

Databarracks

Databarracks

Databarracks deliver award winning IT resilience and continuity services. We help organisations get the most out of the cloud and protect their data, wherever it lives.

Enterprise Strategy Group

Enterprise Strategy Group

Enterprise Strategy Group, a division of TechTarget, is an IT analyst, research, validation, and strategy firm that provides market intelligence and actionable insight to the global IT community.

TriVigil

TriVigil

TriVigil offer a full-service, comprehensive cybersecurity approach specifically tailored to meet the unique needs of educational institutions.

Pontiro

Pontiro

At Pontiro, we are enabling a new era of data-sharing. Bridging the gap between protected data and valuable insights through the use of cutting edge Homomorphic Encryption.

TrueDeploy

TrueDeploy

Making Software Security EASY. The Security Status of Your Software in One Place. All you have to do is Deploy.