British Airways (BA) will face a fine of $230 million (£183m) for the hacking incident in their systems last year. The fine is said to be the most significant penalty that the Information Commissioner’s Office (ICO) has handed out. It is also the first to sanction shared to the public under the new General Data Protection Regulation (GDPR).
The International Airlines Group (IAG), the owner of the airlines, was both “surprised and disappointed” by the decision of the ICO. It insists that they were victims of a “sophisticated and malicious” criminal attack.
Since June 2018, British Airways’ website users were re-routed to a copy of their website. In the phishing website, users were asked to provide their personal information.
The attack was discovered in September, which affected 380,000 transactions. After ICO’s investigations, the number of affected users were around 500,000 customers.
Elizabeth Denham, Information Commissioner, said, “That’s why the law is clear — when you are entrusted with personal data, you must look after it.” Denham added that “those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
Customers provided sensitive information such as name, birth date, and credit card details to the phishing site. As the user type in the details, a code extracts the data from the website and hand them to hackers.
According to Robert Pritchard, a former cybersecurity researcher at the Government Communications Headquarters (GCHQ), since websites don’t save CVV, it is more likely that the information was extracted while it was being typed in.
BA released a statement last September informing customers that there was a breach in their security from August 21 to September 5. The announcement was meticulous and did not explicitly say what happened during the breach.
BA did not share enough information; thus, cybersecurity experts speculated on what happened. According to Professor Alan Woodward, a cybersecurity expert working at the University of Surrey, “they carefully worded the statement to say anybody who made a card payment between those two dates is at risk.”
Prof. Woodward further points out that the breach was because of BA’s use of third-party suppliers for its embed code. The attack done on the website was called a supply chain attack; in which hackers targeted a site with least secure elements in a network.
Another theory is that a company insider may have tampered with the website and added the malicious code instead.
Previously, Facebook had the most significant penalty from its Cambridge Analytica data scandal. Facebook incurred a $626 million (£500,000) under the GDPR in effect in May 2018.
Users participated in a personality quiz made by Dr. Aleksandr Kogan and Global Science Research (GSR). Data from the personality test enabled Cambridge Analytica to use for target political advertising in the US. According to ICO, Facebook did not take adequate and timely action. ICO fined Facebook the maximum penalty in October 2018.
GDPR and its effects
Since its implementation in May 2018, the GDPR’s robust policies regarding its data privacy law has forced companies to ensure personal information collected through websites and apps are stored safely.
The GDPR effects any organization or company that uses data capture in the European Union. Support businesses that have customers inside the EU are also affected, such as call center outsourced by other companies that directly communicate with EU residents.
According to a report by CNN, Global 500 companies spent roughly $7.8 billion in strengthening each company’s data privacy operating procedures. The estimates were conducted by The International Association of Privacy Professionals and EY.
Aside from the GDPR’s strict rules, the penalties for data privacy breaches also increased. Since last year, the maximum penalty has had a 4% turnover with a 3.5% growth compared to 2017’s total of 1.5%.
BA’s response to ICO’s decision
After ICO has shared its decision, BA may appeal within 28 days. According to Reuters, IAG CEO Willie Walsh will be making representations about the ICO’s fine.
“We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals,” Walsh said.
In September 2018, IAG’s stock price was down 4% following the news of the data breach. In light of the ICO’s decision, IAG’s stocks fell again at 0.8%.
According to analyst Gerald Khoo of Liberum, “While IAG has more than adequate liquidity to cover the fine (Dec 2018 cash 3.8 billion euros, total liquidity 6.3 billion euros), the penalty is still substantial.”