British Airways is facing £183 million fine for 2018 data breach

The UK Information Commissioner’s Office (ICO) wants British Airways to pay a £183.39 million (nearly $230 million) fine for failing to protect personal and financial information of approximately 500,000 of its customers.

The company, which is part of the International Airlines Group (IAG), intends to appeal the decision.

The breach that prompted the fine

In early September 2018 (and a few months after the EU GDPR became enforceable), British Airways announced that its website and mobile app had been compromised, and that the attackers managed to collect personal and financial details of customers making or changing bookings through those two avenues.

A few days later it was revealed how: the so-called Magecart attackers covertly put a payment card skimming script on the company’s website.

The ICO was notified of the breach immediately and its investigation “has found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information.”

“ICO has been investigating this case as lead supervisory authority on behalf of other EU Member State data protection authorities. It has also liaised with other regulators. Under the GDPR ‘one stop shop’ provisions the data protection authorities in the EU whose residents have been affected will also have the chance to comment on the ICO’s findings,” the ICO noted.

“The ICO will consider carefully the representations made by the company and the other concerned data protection authorities before it takes its final decision.”

The currently proposed fine is equivalent to 1.5 percent of British Airways’ turnover in 2017.

British Airways chairman and chief executive Alex Cruz said that the company is “surprised and disappointed in this initial finding from the ICO” and that they “have found no evidence of fraud/fraudulent activity on accounts linked to the theft.”

What now?

“Action on BA was inevitable. 23 percent of security professionals named it the worst security breach of 2018, second only to Facebook and the Cambridge Analytica scandal. While we don’t yet know the final size of any fine, this is a clear warning shot – not only for BA but for the security industry as a whole,” Amanda Finch, CEO, Chartered Institute of Information Security Professionals, told Help Net Security.

“The ICO is showing its willingness to implement the full weight of its powers under GDPR, and BA is showing us exactly what even a small percentage of annual turnover looks like.”

Colin Truran, Principal Technology Strategist at Quest, says that the British Airways AIG data breach heralds the start of the GDPR being applied to business failures in protecting our personal data.

“It’s worth breaking down the numbers to get a better perspective. This is a record fine and a significant one for an industry that struggles to maintain a steady profit. However, it equates to only £366 per person and based on what Facebook are willing to pay for the use of far less critical information this doesn’t seem that much,” he pointed out.

“We need to understand that this is meant to be a slap on the wrist for the uncontrolled exposure of sensitive information for which we will never really know how it’s been used. What we really need to understand is why the failure happened, what can we all learn from this and what has BA implemented since then to improve the situation. We would also like to know what staved the hand of the ICO in not going for the full 4%, was it based on the measures BA had in place, the action it took to identify and notify individuals as well as its cooperation with the ICO. These early cases are vital to help business understand the risks they face and how they can mitigate them for themselves and of course their customers.”

He also noted that even if their appeal to the ICO is successful, IAG could still be hit by lawsuits by the affected individuals.

“The £183 million fine does not really terminate legal ramifications of BA related to their website hack, other parties may still have valid claims against BA,” noted Ilia Kolochenko, founder and CEO of web security company ImmuniWeb.

“It is now important to determine whose negligence or misconduct ultimately caused or facilitated the breach. If BA was relying only on automated vulnerability scanning for a business critical application, a cybersecurity supplier who suggested such a reckless strategy – may be liable under certain circumstances and BA may crossclaim the damages. In any case, this is a gloomy reminder that web and mobile application security is essentially important, and if negligently disregarded – may cost hundreds of millions. Prompt reaction, investigation and rapid notice won’t be good enough to avoid formidable fines. Prevention is much better than cure from financial, reputational and operations standpoints.”

Criminal groups that fall under the Magecart umbrella have been plundering websites for years. The most recent instance of a mass Magecart spree happened this 4th of July when, according to researcher Willem de Groot, 962 online shops have had their customers’ card details stolen:

Our crawlers detected 962 breached stores last night. It is the largest automated campaign to date (previously: MGCore with 700 stores). Decoded skimmer: https://t.co/CCVakmMrR5 pic.twitter.com/nIHQFwtRXN

— Sanguine Security Labs (@eComscan) July 5, 2019

UPDATE (July 9, 2019, 11:30 a.m. PT): The ICO also wants to fine Marriott International £99,200,396 (around $123 million) for infringements of the General Data Protection Regulation (GDPR).

“The proposed fine relates to a cyber incident which was notified to the ICO by Marriott in November 2018. A variety of personal data contained in approximately 339 million guest records globally were exposed by the incident, of which around 30 million related to residents of 31 countries in the European Economic Area (EEA). Seven million related to UK residents,” the ICO noted.

“It is believed the vulnerability began when the systems of the Starwood hotels group were compromised in 2014. Marriott subsequently acquired Starwood in 2016, but the exposure of customer information was not discovered until 2018. The ICO’s investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.”