British Airways faces a £183.39 million fine for failing to protect customers’ financial and personal data following a Magecart-style card skimming attack on its website last summer – which required just 22 lines of code to execute.
The Information Commissioner’s Office (ICO) found that a “variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well names and addresses.
Announcing her intention to levy the fine under GDPR Information Commissioner Elizabeth Denham said: “When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience.”
“That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
British Airways now has the opportunity to “make representations” to the ICO about its findings and the proposed fine. The decision to hit BA with a substantial fine for the breach was roundly welcomed by security professionals.
Nik Whitfield, CEO, Panaseer, said: “This is game changing for any company serving EU customers, and great news for consumers’ privacy.”
“This shareholder affecting penalty creates the business case for global companies to invest the substantial sums required to continuously assure that their security controls are adequate, present and working effectively – too often we see data breaches enabled by fundamental security measures not being switched on. New, automated approaches to assurance, such as Continuous Controls Monitoring, will become standard practice, in the same way ERP systems have for the finance function.”
The British Airways chairman, Álex Cruz, told press that the airline was “disappointed” by the initial finding, saying: “British Airways responded quickly to a criminal act to steal customers’ data.”
“We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologise to our customers for any inconvenience this event caused.”
Willie Walsh, the chief executive of BA’ owner International Airlines Group (IAG), said the airline would appeal the penalty.
Cybersecurity company RiskIQ, which identified the script used in the attack late last year, said at the time: “The infrastructure used in this attack was set up only with British Airways in mind and purposely targeted scripts that would blend in with normal payment processing to avoid detection.”
“We saw proof of this on the domain name baways.com as well as the drop server path. The domain was hosted on 126.96.36.199 which is located in Romania and is, in fact, part of a VPS provider named Time4VPS based in Lithuania. The actors also loaded the server with an SSL certificate. Interestingly, they decided to go with a paid certificate from Comodo instead of a free LetsEncrypt certificate, likely to make it appear like a legitimate server.”
“British Airways has cooperated with the ICO investigation and has made improvements to its security arrangements since these events came to light”, the ICO said, adding, “the company will now have opportunity to make representations to the ICO as to the proposed findings and sanction.”