BA Faces £183m Data Breach Fine

British Airways is facing a record fine of £183m for last year's breach of its security systems. The airline, owned by IAG, says it is "surprised and disappointed" by the penalty from the UK Information Commissioner's Office (ICO).

At the time, BA said hackers had carried out a "sophisticated, malicious criminal attack" on its website. The ICO said it was the biggest penalty it had handed out and the first to be made public under new rules. The ICO said the incident took place after users of British Airways' website were diverted to a fraudulent site. Through this false site, details of about 500,000 customers were harvested by the attackers, the ICO said.

Information Commissioner Elizabeth Denham said: "People's personal data is just that - personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience.

"That's why the law is clear - when you are entrusted with personal data, you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."

The incident was first disclosed on 6 September 2018 and BA had initially said approximately 380,000 transactions were affected, but the stolen data did not include travel or passport details.

What Information was Stolen?
The ICO said the incident was believed to have begun in June 2018. The watchdog said a variety of information was "compromised" by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information. BA initially said information involved included names, email addresses, credit card information such as credit card numbers, expiry dates and the three-digit CVV code found on the back of credit cards.

The watchdog said BA had co-operated with its investigation and made improvements to its security arrangements.
What are the New Rules?

The General Data Protection Regulation (GDPR) came into force last year and was the biggest shake-up to data privacy in 20 years.

The penalty imposed on BA is the first one to be made public since those rules were introduced, which make it mandatory to report data security breaches to the information commissioner. It also increased the maximum penalty to 4% of turnover. The BA penalty amounts to 1.5% of its worldwide turnover in 2017, less than the possible maximum. Until now, the largest fine was on Facebook for half a million pounds for its role in the Cambridge Analytica data scandal. That was the maximum allowed under the old data protection rules that applied before GDPR.

What Happens Next?
BA has 28 days to appeal. Willie Walsh, chief executive of IAG, said British Airways would be making representations to the ICO."We intend to take all appropriate steps to defend the airline's position vigorously, including making any necessary appeals," he said.

Alex Cruz, British Airways' chairman and chief executive, said the airline was "surprised and disappointed" in the ICO's initial finding.

"British Airways responded quickly to a criminal act to steal customers' data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft....We apologise to our customers for any inconvenience this event caused."

BBC:        ICO

You Might Also Read:

The BA Hack And How Not To Respond To A Cyber Attack:

How Companies Can Minimise Cyber Attack Damage:

 

 

« Wanted: Clarity About Cyber Insurance Cover
2019: Cybersecurity Is In Crisis »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

FT Cyber Resilience Summit: Europe

FT Cyber Resilience Summit: Europe

27 November 2024 | In-Person & Digital | 22 Bishopsgate, London. Business leaders, Innovators & Experts address evolving cybersecurity risks.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

IBackup

IBackup

IBackup is a Web Based Online Backup service provider.

International Telecommunication Union (ITU)

International Telecommunication Union (ITU)

ITU is the United Nations specialized agency for information and communication technologies – ICTs. Areas of activity include cybersecurity.

ISGroup (Information Security Group)

ISGroup (Information Security Group)

ISGroup services include network penetration testing, Web application penetration testing, ethical hacking, vulnerability assessments, code review and associated training.

AllegisCyber Capital

AllegisCyber Capital

AllegisCyber is an investment company with a focus on seed and early stage investing in cybersecurity and its applications in emerging technology markets.

BrainChip

BrainChip

BrainChip is the leading provider of neuromorphic computing solutions, a type of artificial intelligence that is inspired by the biology of the human neuron - spiking neural networks.

CipherTrace

CipherTrace

CipherTrace develops cryptocurrency Anti-Money Laundering, cryptocurrency forensics, and blockchain threat intelligence solutions.

CybernetIQ

CybernetIQ

CLAW by CybernetIQ is the industry's most advanced SOAR platform helping unify all cybersecurity tools under one umbrella and providing organizations faster, better and more accurate cybersecurity.

IPification

IPification

IPification is a highly secure, credential-less, network-based authentication solution for frictionless user experience on mobile and IoT devices.

SAP National Security Services (NS2)

SAP National Security Services (NS2)

SAP NS2 are dedicated to delivering the best of SAP innovation, from cloud to predictive analytics; machine learning to data fusion.

Inflexor Ventures

Inflexor Ventures

Inflexor Ventures is a technology focused venture capital firm that invests in early stage companies from seed to Series-A+ stages.

Turnkey Consulting

Turnkey Consulting

Turnkey Consulting is a leading provider of Integrated Risk Management (IRM), Identity Access Management (IAM), and Cyber and Application Security.

Rolls-Royce Cybersecurity Technology Research Network

Rolls-Royce Cybersecurity Technology Research Network

Rolls-Royce has partnered with Purdue University and Carnegie Mellon University to create the Rolls-Royce Cybersecurity Technology Research Network.

iSTORM

iSTORM

iStorm specialise in supporting organisations who require a range of Privacy, Security and Penetration testing related services.

Strike Security

Strike Security

Strike Security offers a continuous penetration testing platform that combines automation with ethical hackers.

Drumz

Drumz

Drumz plc is an investment company whose investing policy is to invest principally but not exclusively in the technology sector within Europe.

Integris

Integris

Integris offers best-in-class services like dedicated vCIOs, specialized security and compliance advisory services, a 24/7 help desk, and more.