The Information Commissioner’s Office (ICO) has fined British Airways (BA) £20m for failing to protect the personal and financial details of more than 400,000 of its customers.
An ICO investigation found the airline was processing a significant amount of personal data without adequate security measures in place. This failure broke data protection law and, subsequently, BA was the subject of a cyber-attack during 2018, which it did not detect for more than two months.
The Data Breach
The attacker is believed to have potentially accessed the personal data of approximately 429,612 customers and staff. This included names, addresses, payment card numbers and CVV numbers of 244,000 BA customers.
Also, the usernames and passwords of BA employee and administrator accounts as well as usernames and PINs of up to 612 BA Executive Club accounts were potentially accessed, but this is uncertain. It is often impossible to be certain which data the hackers copied.
The ICO concluded that there were numerous measures BA could have used to mitigate the risk of an attacker being able to access the BA network. These include:
- limiting access to applications, data and tools to only that which are required to fulfil a user’s role
- undertaking rigorous testing, in the form of simulating a cyber-attack, on the business’ systems;
- protecting employee and third party accounts with multi-factor authentication.
Since the attack, BA has made considerable improvements to its IT security.
BA did not detect the attack in June 2018 themselves but were alerted by a third party more than two months afterwards in September 2018. Once they became aware BA acted promptly and notified the ICO.
“When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security,” said Information Commissioner Elizabeth Denman.
If you have any experiences with these scams do let me know, by email.