British Airways (BA) has been hit by a record £183m GDPR fine after failing to prevent a digital skimming attack last year.
UK regulator the Information Commissioner’s Office (ICO) said the £183.39m penalty was levied due to “poor security arrangements” at the carrier, leading to the compromise of personal data on around half a million customers.
“People’s personal data is just that – personal. When an organization fails to protect it from loss, damage or theft it is more than an inconvenience,” said information commissioner, Elizabeth Denham.
“That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
The fine is the biggest ever levied by the ICO, publicly at least, but still amounts only to around 1.5% of the airline’s global annual turnover as of 2017 – far less than the maximum 4% allowable.
That said, BA will be appealing to the ICO. Chairman and CEO, Alex Cruz, claimed the company responded quickly to the incident and that it has found “no evidence” of the data being used in follow-on fraud.
However, security researchers claimed to have found the stolen personal information up for sale online just a week after the incident.
The attack involved an increasingly popular form of digital skimming code known as Magecart, which was inserted covertly onto the BA site to harvest user card information without its knowledge.
BA can feel slightly aggrieved at the size of the fine, as the attack was reportedly highly targeted, with the hackers designing their malicious JavaScript to blend into the background. The C&C server to which the data was exfiltrated was also protected with a legitimate Comodo SSL certificate.
The data stolen included log-in, payment card and travel booking details as well as name and address information, according to the ICO.
Raef Meeuwisse, ISACA expert speaker and author, argued that commentators should refrain from passing judgement until the outcome of BA’s appeal is known.
“This fine is a timely wake-up call for enterprises that under-investment, especially in cybersecurity, is a false economy. It is also a reminder that you cannot just leave mission-critical third-party activities with anything less than mission-critical levels of verified security,” he said.
“However, I think we need to await the outcome of any appeal and what the final amount of the fine really is. If the amount reduces substantially during the appeals process, then the executives in other organizations who are just about to raise the risk-levels and investment in both data privacy and security will probably breathe a sigh of relief.”