British Airways now hold the dubious honour of receiving the highest data protection fine that the UK has ever seen, after the Information Commissioner’s Office (ICO) handed down a record-breaking £20 million fine. The fine could have been much heftier, however, as the ICO fine was originally slated at well over £150 million. BA negotiated to have to fine reduced on the back of several factors, including how the Covid-19 pandemic has affected their industry and business and the conduction of a more thorough review on how the 2018 incident occurred from a technical standpoint.
The incident in question dates back to 2018, when BA was alerted by independent security researcher that personal data for more than 400,000 customers and staff had been breached. BA then notified the ICO, as they are required to by law, but at that point the data had been circulating for at least two months.
The ICO had originally set the fine at a whopping £183 million, but BA successfully lobbied to have that figure reduced. According to Tech Crunch, about £150 million was reduced on the back of further investigation by the ICO which revealed BA was less at fault for the incident than they initially envisaged; a further £6 million and £4 million was discounted due to BA’s response and how their business was negatively impacted by Covid-19, respectively.
The breach began when attackers managed to compromise a network account belonging to a third-party employee. The account in question did not have 2FA enabled, nor was it required by the airline – a big oversight in today’s cyber environment. The attackers then managed to gain access to the wider British Airways network, where they found a domain administrator username and password stored in plaintext on one of their servers.
The attackers were then able to not only find and steal credentials (including full credit card numbers with CVV numbers) for tens of thousands of customers, but they also planted a card-skimmer program on the BA website, allowing them to harvest payment details from over 380,000 customers.
British Airways has apologised for the incident and has since considerably improved their cyber security (one would suspect that the ICO would not be as favourable to them should a second breach occur).
A spokesman for the airline told The Register, “We alerted customers as soon as we became aware of the criminal attack on our systems in 2018 and are sorry we fell short of our customers’ expectations. We are pleased the ICO recognises that we have made considerable improvements to the security of our systems since the attack and that we fully co-operated with its investigation.”
In their own statement on the incident and subsequent fine, the ICO specifically called out three basic security measures that BA failed to implement in time to prevent the breach:
- limiting access to applications, data and tools to only that which are required to fulfil a user’s role
- undertaking rigorous testing, in the form of simulating a cyber-attack, on the business’ systems
- protecting employee and third party accounts with multi-factor authentication
Information Commissioner Elizabeth Denham said: “People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure.
“Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20m fine – our biggest to date.
“When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.”
So that’s it, folks. British Airways got off very lucky with this fine, however the ICO rightly recognised that they are already in severe financial trouble at the moment due to world events around the Covid-19 pandemic.
There is certainly a lesson for other organisations here, which is to ensure your security is up to snuff before a data breach occurs, or you could end up making headlines by breaking BA’s record of largest data breach fine. The ICO specifically noted that none of the measures they listed “would have entailed excessive cost or technical barriers”, so there are no excuses for not implementing these basic security best practices.