2018 British Airways Breach: £183-Million Fine Imposed
British Airways is now in hot water, as they are facing a £183-million fine in order to compensate the 2018 data breach it experienced. The airline company expressed its dissatisfaction of the decision, as it claims all the necessary mitigations were in-place, and it is just an unfortunate victim of cyber criminals. The announcement of the fine against British Airways was announced by the UK’s Information Commissioner’s Office (ICO) in London Stock Exchange. Prior to full implementation of Brexit, GDPR of the European Union still exists and enforce in the United Kingdom.
According to ICO, British Airways main website was hacked by cybercriminals and deliberately forwarded the traffic to a fake website that they created. With the unchecked diversion, 500,000 innocent users had their information captured by the fake website. “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights,” explained Elizabeth Denham, Information Commissioner of the ICO.
An estimated 380,000 transactions were processed by fake website that pretended to be the official one due to the traffic redirection, the only silver lining to it were the passport and travel data were not included in the breach (as claimed by British Airways). ICO highlighted British Airways negligence in securing their customer’s payment card, travel booking and login. Full names, credit card numbers and its corresponding expiry dates and the 3-digit CVV critical for the use of the card were captured from the users.
“BA are claiming there were no fraudulent transactions from the leak. My card details, I don’t think, weren’t exposed anywhere else. BA contacted me in August/September about the breach, that addresses and emails were leaked. Later they said credit card details were too,” complained one of British Airway’s loyal customers named David Champion.
GDPR took effect May 25, 2018, for the whole European Union member-states, it pre-dated the Brexit vote that made the process of dis-membership of the UK from the EU. In fairness to British Airways, the airline company has fully cooperated with the ICO when it comes to providing vital data in order to reproduce the story behind the data breach scenario. From the standpoint of GDPR, the British Airways case has not the worst. The breach was not bad from the standpoint of the size of the fine; GDPR imposes 4% of the global revenue of a company as a fine for the worst offenders. A 4% of British Airways revenue can easily reach a whopping £500-million, a penalty that the airline dodged.
“British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologise to our customers for any inconvenience this event caused,” emphasized Alex Cruz, CEO and Chairman of British Airways.
Julia Sowells923 Posts
Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine. She now lives and works in New York, where she maintains her own consulting firm with her role as security consultant while continuing to write for Hacker Combat in her limited spare time.