The 2018 breach, which exposed the personal information of over 400,000 British Airways customers, will cost the company £ 20m in one of the largest GDPR fines to date. The UK ICO’s decision revealed that the travel giant was negligent because “poor security” created a hole in the network that attackers exploited for two months before it was discovered.

UK ICO expects £ 20million

UK ICO Information Commissioner Elizabeth Denham said: “The individuals who entrusted BA with their personal information and BA have not taken reasonable steps to keep that information secure. Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and worry as a result. Because of this, we fined BA £ 20m – our largest to date. “

The case stayed with the UK ICO when the breach began in mid-2018. At the time, the UK was still part of the EU and required final approval from the other EU data protection authorities (DPAs). The GDPR fine amount took into account the security measures that were available at the time of the breach, as well as the burden on the airline’s customers and the impact of COVID-19 on the company’s operations.

The data breach is believed to have negatively impacted approximately 429,612 customers and employees of the airline. Over a period of around two months, the hackers were able to gain access to administrator accounts and payment systems in order to filter a wide range of confidential information: full names, residential addresses, credit card numbers and the security CVV numbers found on the back of the cards. The attackers also breached approximately 612 BA Executive Club accounts (the airline’s rewards program).

The violation started in July 2018, but BA wasn’t aware of it until it was notified by a third party in September. The UK ICO’s investigation identified a number of specific flaws that BA would reasonably have had to support prior to the breach: Restricting internal network access of individual user accounts to important tools and information that were not subjected to regular tests or cyber attacks, simulations and no implementation of a multi Factor authentication within the company network.

Another piece in the fine pattern of the GDPR

British Airways’ GDPR fine has been in the making for a long time. The UK ICO first committed to penalize the airline in January 2019, but it took over a year and a half to pinpoint the exact amount. £ 20million is significantly less than the £ 183million originally proposed in June 2019, which would have more than tripled Google’s record £ 50m fine from the French CNIL for the abuse of its personalized ad tracking service. ICO UK also significantly cut the deadline, which should not go beyond April 2020 before the pandemic began. In the event of a successful appeal and a state of hardship due to the COVID-19 crisis, the airline can thank you for the greatly reduced amount, which falls below 1% of its total annual turnover. However, the amount will come as the fourth largest GDPR fine behind those paid to Google, H & M’s German customer service center and Italian telecommunications giant TIM.

After two and a half years, the fines and penalties of the GDPR are still coming into focus. This decision by the UK ICO reaffirms the idea that organizations can meet the expected safety standards of the time and (potentially) expect substantial fines if caught with inadequate defensive measures. Sameer Malhotra, CEO and Founder of TrueFort, believes that too often organizations lag behind threat activity and need the most advanced solutions available to keep up: “Dwell time is the number one problem facing hackers working in the world land needs to be lived, reduced and eliminated, but undetected attacks and data theft are all too common. Unfortunately, most organizations lack the behavioral and real-time analysis necessary to detect unusual or unauthorized access or to identify unusual behavior related to their critical applications and data sources. This adds up to the prolonged exposure that you have with British Airways in this case. “

Are massive GDPR fines the solution?

Of course, the airline also managed to pull out an appeal for over a year (aided by the sudden onset of the pandemic) and end up paying only a very small portion of its annual revenue, so one has to wonder whether even the largest of these fines actually deliver the necessary prerequisites to convince companies to spend more on security solutions. Ilia Kolochenko, founder and CEO of ImmuniWeb, also believes that even these relatively low costs will not weigh on the company: “The road to hell is paved with good intentions. BA is likely to shift the £ 20million cost onto passengers and employees, as most other companies likely would. During the pandemic, exemplary penalties designed to greatly deter others are likely to mean more layoffs and less quality of service. While cybersecurity budgets are likely to stay intact or even continue to decline. In addition, as much as £ 20 million is only a fraction of the total security budget in large companies. This can simply mean that paying a “record fine” is cheaper than investing in a robust and holistic cybersecurity program. “

What’s the answer? Kolchenko doesn’t see any maximum GDPR fines or even incarceration for CEOs as a difference. Instead, he suggests focusing resources on eliminating the hacking groups responsible for these violations: “To keep our digital lives safe, governments should also consider supporting cybersecurity efforts by companies and organizations. This includes efficient and effective cybercrime investigation units capable of apprehending hackers, sending them to jail and recovering at least some of the stolen loot or diminishing their illicit profits. Given the growing data protection laws and regulations, from the hyped GDPR to the relatively young CCPA, harsh penalties against companies that create jobs and pay taxes are counterproductive when the state is toothless against cyber gangs that act with impunity. “

BA can thank COVID-19 for a successful appeal and a state of hardship for the greatly reduced #GDPR fine, which falls below 1% of total annual sales. #cybersecurity # Regarddata

Click here to tweet

While it is possible that this approach may be more effective than GDPR fines at reducing hacking complications, it does not address two other major causes of data breach: employee error and insider trade-off. A spring 2020 report found that 90% of data breaches reported to the UK ICO were due to an end-user error. Misconfigurations and improper updating / patching are common mistakes that result in openings without the involvement of a threat actor. While insider threats remain relatively low in the UK, it is increasing as a breach cause worldwide as both the number of incidents and the expected costs have increased by double digits worldwide in recent years.