British Airways is facing a record high fine of £183 million for allowing its security system data to be breached last year.
The fine was handed to them by the Information Commissioners Office (ICO) in which BA has said to have been “surprised and disappointed”.
500,000 customers are thought to have been affected in what is thought to be a “sophisticated, malicious criminal attack” on both its website and mobile app.
The details were able to be taken after customers were directed to a fraudulent website from the BA one, where they unsuspectingly entered personal details into the site.
The stolen data included names, addresses, login passwords, and detailed card information. The flight company has claimed that passport or travel details were not taken.
“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience”, said Information Commissioner, Elizabeth Denham.
The ICO claimed the reason it was so easy for hackers to gain customer information was due to “poor security arrangements”. The watchdog dealing with the investigation has said that BA is co-operating with the inquiry. They added that the flight company has improved its security since.
Negligence and misconduct
Ilia Kolochenko, founder and CEO of web security company ImmuniWeb has expressed his concern that BA’s fine does not make up for the fault that occurred or the lack of responsibility being held for the breach. He commented: “What’s worse, is that the £183 million fine does not really terminate legal ramifications of BA related to their website hack, other parties may still have valid claims against BA.
“It is now important to determine whose negligence or misconduct ultimately caused or facilitated the breach.”
He continued: “If BA was relying only on automated vulnerability scanning for a business critical application, a cybersecurity supplier who suggested such a reckless strategy – may be liable under certain circumstances and BA may crossclaim the damages.”
It’s thought that the hacking began on June 2018 but it wasn’t until 6th September 2018 that the information was first disclosed.
Since the enforcement of GDPR, BA is the first company to have had their fine discolsed to the public.
“Since the GDPR came into force, we’ve seen a variety of breaches and fines occur, ranging from large, established organisations to smaller organisations”, Peter Carlisle, VP of global sales, nCipher Security said.
“With over 200,000 cases reported across Europe, British Airways is just the latest in a long line of organisations to show us that no one using the personal data of EU citizens can avoid compliance. The loss of customer trust and damage to reputation that follow a data breach are now being matched by weighty fines and potentially devastating financial penalties,“ he continued.
In further discussing how data is being used by companies, Carlisle said: “As BA has learnt, the future of data protection means a commitment to accountability. If organisations wish to use data to gain a competitive edge, they must be prepared to take responsibility for its use and protection… After all, data is any business’s most important asset, regardless of size or sector.”
“Prevention is much better than cure”
Carlisle also spoke of the best ways to optimise security when it comes to customer data. He said: “The best defence in cybersecurity is a proactive one, and the right mix of hardware, software and internal education provides a firm foundation of protection. Encryption, digital signing and key generation are also increasingly important, as data that is fully encrypted is useless to hackers even if a data breach does occur.”
Whilst Kolochenko remarked: “This is a gloomy reminder that web and mobile application security is essentially important, and if negligently disregarded – may cost hundreds of millions. Prompt reaction, investigation and rapid notice won’t be good enough to avoid formidable fines. Prevention is much better than cure from financial, reputational and operations standpoints.”
The £183.4 million fine equates to just 1.5% of BA’s annual turnover from last year.
British Airways now has 28 days to appeal the penalty, the outcome of which will be decided by the ICO.