Is £20M an appropriate fine for British Airways from the ICO for the 2018 hack that exposed the personal data of hundreds of thousands of people, including credit card details?
I am not sure how I feel about this. The airlines are going through a very tough time with Covid-19 and the original fine was estimated to be around £183M. The hack itself was 22 lines of code to exploit a cross-site script vulnerability that grabbed data the customers entered into a payment form. It was a sophisticated tailored version of other Magecart hacks that had been used in other large-scale hacks, including Ticketmaster and Forbes. The attackers even paid to set up a TLS certificate for their server to encrypt the data in transit. After all, the attackers did not want anyone else to benefit from the leaked data, which included the credit card CVV number. The CVV number is not stored by the BA website, which is why the cross-site script attack was required to skim this from the webform.
There is no doubt this was a sophisticated attack, well executed and planned. However, this is a large multinational that should have world class security baked into all aspects of their business, most critically the public web facing form that takes credit card details. Of course, hindsight is 20/20 and it is easy for security professionals to talk about attacks after they happen and say all the things they should have done.
So, is £20M an appropriate amount for the ICO to fine British Airways at this time? Let’s think about what we are trying to achieve. We need to ensure security is taken seriously by businesses. We need to ensure the boards of directors of all companies understand the risks they take working online. The world is digital; every aspect of every business is digital. Maybe we have slept walked into this new digital world, but we are here now, and we must all be accountable for keeping our citizens data safe.
Fines under GDPR were meant to be so punitive that it would force business to take online security seriously. I am not sure it has worked, and a low-ball fine of £20M sends a message to all the other multinationals that if they get fined, they can negotiate the figure down to something more palatable. Where is the compensation for the individuals who had their data stolen? These individuals then no doubt suffered from follow on cybercrime when their data was sold on to other cyber criminals on the dark web.
The airline industry had a terrible safety record when commercial air travel first started; now it has the most incredible safety of any industry. It can be done; It takes an enormous combined effort of regulators, industry bodies, businesses, and professional services to pull it off, but it can be done.
Do we need CISOs, Directors & CEOs to be personally accountable for data breaches and face criminal prosecution for lapses in cybersecurity? Is that what it will take to enforce rock solid online security?
For now, I feel the ICO missed an opportunity to send a strong and unequivocal message to large Enterprises that they are serious about fines.
When a data breach occurs, the financial or legal downsides must ensure that the board take cybersecurity seriously and educate themselves as to what is required from the top down to run a secure business online in this day and age.