Category Archives: British Airways

British Airways Faces Record GDPR Fine

The 2018 data breach of British Airways may prove to be a record-breaking data compromise with the announcement of a newly proposed $230 million fine.

The U.K. Information Commissioner’s Office (ICO) proposed the fine under the European Union General Data Protection Regulation (GDPR) following the compromise of over 500,000 customers, including their login information, credit card numbers, and addresses. The fine is equal to 1.5% of British Airways total 2017 revenue, and represents the largest GDPR penalty to date.

While British Airways alerted the ICO within the 72-hour mandatory disclosure period for data breaches, the company was accused of poor internal cybersecurity and lax protections for customer data on its website and mobile app.

“When an organization fails to protect [customer data] from loss, damage or theft, it is more than an inconvenience. The law is clear: When you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights,” said UK information commissioner Elizabeth Denham.

“The ICO did what data protection and other regulatory authorities usually do–pick a large and easy target, make it an example, and hope everyone else gets in line. The fact that the fine was nearly 1.5% of BA’s global turnover speaks volumes about the willingness of the ICO to push the limits of their enforcement powers,” said CyberScout Global Privacy Officer Eduard Goodman.

“The fine being imposed by the UK ICO demonstrates that security failures are taken very seriously and organizations need to prioritize data protection, security, and privacy – or pay the price. While the largest fines are saved for those organizations particularly reckless with marketing efforts, consent and other core issues, ICO is signaling zero-tolerance for the failure to safeguard private information assets,” Goodman added.

The data breach was the result of a skimming attack by Magecart, a hacking group allegedly responsible for numerous compromised e-commerce sites, including Ticketmaster and Newegg.

British Airways is expected to contest the fine.

The post British Airways Faces Record GDPR Fine appeared first on Adam Levin.

British Airways faces record £183 million GDPR fine after data breach

British Airways is facing a record fine of £183 million, after its systems were breached by hackers last year and the personal and payment card information of around 500,000 customers were stolen.

Read more about what you need to know in my article on the Tripwire State of Security blog.

Learning from the Big Data Breaches of 2018

Guest article by Cybersecurity Professionals

What can we learn from the major data breaches of 2018?
2018 was a major year for cybersecurity. With the introduction of GDPR, the public’s awareness of their cyber identities has vastly increased – and the threat of vulnerability along with it. The Information Commissioner’s Office received an increased number of complaints this year and the news was filled with reports of multi-national and multi-millionaire businesses suffering dramatic breaches at the hand of cybercriminals.

2018 Data Breaches
Notable breaches last year include:

5. British Airways
The card details of 380,000 customers were left vulnerable after a hack affected bookings on BA’s website and app. The company insists that no customer’s card details have been used illegally but they are expected to suffer a major loss of money in revenue and fines as a result of the attack.

4. T-Mobile
Almost 2 million users had their personal data, including billing information and email addresses accessed through an API by an international group of hackers last August.

3. Timehop
A vulnerability in the app’s cloud computing account meant that the names and contact details of 21 million users were affected on Timehop. The company assured users that memories were only shared on the day and deleted after, meaning that the hackers were not able to access their Facebook and Twitter history.

2. Facebook & Cambridge Analytica
One of the most sensationalised news stories of the last year, Facebook suffered a string of scandals after it was released that analytics firm Cambridge Analytica had used the Facebook profile data of 87 million users in an attempt to influence President Trump’s campaign and potentially aid the Vote Leave campaign in the UK-EU referendum.

1. Quora
After a “malicious third party” accessed Quora’s system, the account information, including passwords, names and email addresses, of 100 million users was compromised. The breach was discovered in November 2018.

GDPR
As the UK made the switch from the Data Protection Act to GDPR, businesses and internet users across the country suddenly became more aware of their internet identities and their rights pertaining to how businesses handled their information.

With the responsibility now firmly on the business to protect the data of UK citizens, companies are expected to keep a much higher standard of security in order to protect all personal data of their clients.

How many complaints to the ICO?
Elizabeth Denham, the UK’s Information Commissioner, said that the year 2017-18 was ‘one of increasing activity and challenging actions, some unexpected, for the office’.

This is shown in an increase in data protection complaints by 15%, as well as an increase in self-reported breaches by 30%. Since this is the first year of GDPR, it is expected that self-reported breaches have increased as businesses work to insure themselves against much higher fines for putting off their announcement.

The ICO also reports 19 criminal prosecutions and 18 convictions last year and fines totalling £1.29 million for serious security failures under the Data Protection Act 1998. The office has assured that they don’t intend to make an example of firms reporting data breaches in the early period of GDPR but as time goes on, leniency is likely to fade as businesses settle into the higher standards.

What does it mean for SMEs?
With 36% of SMEs having no cybersecurity plan, the general consensus is that they make for unpopular targets. However, with the GDPR, the responsibility is on the business to protect their data so being vulnerable could result in business-destroying costs. Considering the cost to businesses could total the higher of 2% of annual turnover or €10 million, data protection is of paramount importance to small businesses.

How exposed are we in the UK?
At 31%, our vulnerability rating is higher than the Netherlands, Germany, Estonia (30%) and Finland (29%), but the UK is a more likely target for cybercriminals looking to exploit high tech and financial services industries, which are some of the most vulnerable across Great Britain.

Despite a higher level of vulnerability, the UK has one of the largest cyber security talent pools, showing there is time and manpower being dedicated to the protection of our data online.

https://www.cybersecurity-professionals.com/blog/2019/03/01/cybercrime-in-the-uk-infographic/