This week, the U.K.'s Information Commissioner's Office (ICO) made the decision to fine British Airways £20 million for failing to protect the personal and financial details of more than 400,000 customers.
British Airways fails in cybersecurity
An investigation conducted by the ICO concluded that British Airways (BA) was processing a very large amount of personal data without proper security measures in place. This alone breaks data protection laws, but since it did not have the correct measures in place, BA became victim to a cyber attack in 2018, which went undetected for approximately two months.
Investigators of the incident found that BA should have been able to identify weaknesses in their cybersecurity and implement security measures that were readily available at the time. If they had done this, it is likely BA would have avoided the cyber attack that caused their company all this trouble.
Information Commissioner Elizabeth Denham had this to say regarding the BA incident:
"People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure.
Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That's why we have issued BA with a £20m fine— our biggest to date.
When organizations take poor decisions around people's personal data, that can have a real impact on people's lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security."
The timing of this case is crucial since it occurred in June 2018, before the U.K. left the EU. Because of this, the ICO investigated BA on behalf of all EU authorities.
The ICO says it considered both representations from BA and the economic impact of COVID-19 before confirming a penalty for the company.
What occurred during the cyberattack?
This was certainly a successful cyber attack for whoever committed the crime. It is believed that the attacker was able to access approximately 429,612 customers' and employees' personal data. This personal data includes names, addresses, payment card numbers, and CVV numbers of 244,000 BA customers.
It is also likely that 77,000 customers had their combined card and CVV numbers compromised, as well as only card numbers for 108,000 customers.
How to prevent future cyber attacks
The ICO listed three specific actions British Airways could have taken:
- "Limiting access to applications, data and tools to only that which are required to fulfil a user's role;
- Undertaking rigorous testing, in the form of simulating a cyber-attack, on the business' systems;
- Protecting employee and third party accounts with multi-factor authentication."
The ICO also provided other actions BA could have taken in the penalty notice.
The airline could have easily avoided a cyber attack of this magnitude. The Information Commissioner's Office stated its suggested actions would not be costly or have any technical barriers. And the ICO says since the attack, BA has made great improvements in its cybersecurity.
