The ICO’s £183.39m GDPR Data Breach Fine for British Airways Is Just the Beginning
The UK’s data watchdog the Information Commissioner’s Office (ICO) issued a hefty £183.39M fine for infringements of the General Data Protection Regulation (GDPR) to British Airways for the 2018 data privacy breach that affected over half a million customers. The airline’s brand image of the “world’s favorite airline” is expected to suffer as a result due to the of the sheer size of the fine, and also but because it is one of the first major breaches under the new GDPR rules to get fined. One day later, the ICO fined Marriott Hotels £99.2m for a breach affecting over 339 million guests. This is just the beginning of the GDPR crackdown.
The BBC News reported that lackluster security led to the breach of over 500,000 customer credit cards, names, addresses, travel details and logins. It is the largest fine issued by the ICO to date, far exceeding the £500,000 fine against Facebook for the Cambridge Analytical scandal that affected millions. It appears the ICO wants to send a warning to companies to button up their systems. It is time for organizations to raise their security awareness internally and externally.
ICO’s announcement states:
The proposed fine relates to a cyber incident notified to the ICO by British Airways in September 2018. This incident in part involved user traffic to the British Airways website being diverted to a fraudulent site. Through this false site, customer details were harvested by the attackers. Personal data of approximately 500,000 customers were compromised in this incident, which is believed to have begun in June 2018.
The ICO’s investigation has found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information.
I previously penned the article, “A Ciso’s Reflection on the First Anniversary of GDPR” observing previous breaches that had been handled under the older legislation, the Data Protection Act of 1998 and its 2018 predecessor. I expect more news headlines around this topic to be the new normal, as consumers and governments are getting serious about the protection of private data and as more privacy laws are adopted worldwide.
Information Commissioner Elizabeth Denham comments are quite clear:
“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
This is a definitive statement of the attitude of the regulators. Very clear and to the point. Your organization has a responsibility with personal data. Fulfill that responsibility or else. A strong warning that the ICO will use its power to protect personal data without hesitation.
The proposed ICO fine of £183.39m could have been much higher. It makes a good argument that better cybersecurity through multi-factor authentication (MFA) is a dramatically better value for the money. So for a CISO, we now have a piece of real data upon which to build any business case when assessing the risk our organisations face. I recall working for one major global organization where only a risk with an impact of over $50m was considered for the risk register. Privacy breaches are well above that line now.
This is not the end of the story. The airline still has to make representations, there will likely be an appeal. The new process also requires the UK’s ICO to act as the lead authority in the EU and successfully enforce the new laws. Other regulators in countries where residents reside still have to comment. It will be interesting to see if they align with this decision, and whether this will form a new standard to be followed by others across the EU.
The GDPR's Impact on CISOs
GDPR as a topic has not been a major discussion point for CISOs during the last year mainly because we have been preparing for some time — and have begun to focus on new issues like technology-driven change within the business. This headline may well add urgency to those who did not feel fully prepared. For other CISOs it will mean a chance to review what they have done and get support for any additional security changes they may need to adopt, such as MFA, to make sure their organizations are more immune from a breach.
The GDPR is far more than security, and following the rules requires a cross-business approach. From a security perspective, the best way to ensure “privacy” is to get the security basics right. This is where the “zero trust” concept helps. Zero-trust security assumes no user or device is trustworthy enough to gain access until their identity can be verified and authenticated. Making sure you know who is accessing your environment, who your users are and creating policies around authenticating their access is a solid step. The simplest and most cost effective way to achieve this is through multi-factor authentication (MFA). MFA has been proven to immediately decrease the likelihood of data breaches from credential phishing.
One random thought, I wonder if the UK government will use the proceeds from such fines to improving overall security within the UK, especially for the SMEs? Perhaps this can idea could help governments everywhere who have introduced or are about to introduce privacy legislation? Just a thought.