Paying the Piper: What We Learned From the British Airways Fine

The Breach

Truth be told it was never really a question of ‘if’ but rather ‘when’ a significant fine for GDPR non-compliance would occur. Following the announcement that British Airways (BA) has been fined £183m, we have now seen the intent of the Information Commissioners Office (ICO) in following through on promises of substantial fines if businesses are found to be in contravention of the regulation.

While there have been several breaches since enforcement of the legislation earlier last year, this is one where the business has admitted what has happened and it ticks all the boxes when it comes to personal data being compromised. Consequently, this is the first major ICO fine for a GDPR breach in the UK, which sets the precedent for future behavior. In this case, BA has been fined £183M, which amounts to, 1.5% of its worldwide turnover in 2017 and is near the 2% maximum fine. The airline will now have to redouble its efforts to prove that it has a secure infrastructure, in order to begin the process of rebuilding trust with its customers.

The Lesson

With BA still recovering from the reputational damage caused when news of the hack broke, there is now a lesson to be learned from the fine and from the breach itself. BA handled the breach well in that it was picked up relatively quickly, and the alarm was raised correctly following its internal protocols. BA has cybersecurity systems in place that could narrow down, both how the incident happened and, most importantly, who was affected as a result. Unlike the TalkTalk incident where the number of consumers impacted changed on a regular basis, the BA team did its due diligence on the event quickly and efficiently.

Furthermore, BA focused on ensuring that its network was secure from any additional breaches. When a hacker finds one vulnerability in an IT infrastructure it will be exploited to maximum effect – with similar areas being tested for the same weakness. Depending on the vulnerability, the attacker will then look at additional exploits which can be used to maximize their advantage, potentially looking at what other pieces of malware that can be introduced. Unfortunately, once malware takes hold of an environment, it often becomes easier to start from scratch to rebuild it rather than try and take out the infections one by one – if you miss one as it’s hidden, you could end up back at square one in a few weeks or months’ time. BA has seemingly taken steps to protect its network from any additional hacks.

The Takeaway

Organisations must realize that a security incident can have far greater repercussions than just the loss of data or an immediate financial impact. Reputational damage and increased costs from auditing are just two other significant items which will occur.

Businesses are now culpable for the data they share with partners, as well as that they hold. With GDPR there is no finger-pointing, shared responsibility is one of the primary tenets. There is no doubt that BA’s fine will have a significant impact and damage shareholder value, leading to some difficult conversations with shareholders and Operations Directors. We will see what the impact is on sales, and how many people move away from online purchasing. BA will need to spend time and money rebuilding the public’s confidence in its abilities to keep personal information safe – something every traveler needs to share before flying. For a smaller company, that doesn’t have the luxury of BA’s assets and turnover a significant fine and the other associated costs could theoretically bankrupt it.

Organisations must learn from this example; firstly, that the ICO has now bared its teeth and is not afraid of handing out substantial fines to household names; and secondly, that personal data needs serious protection to ensure that it doesn’t a similar fate to BA’s – and the subsequent consequences. A defence-in-depth strategy is most effective, revisiting the boundary solutions and implementing more stringent policies on the gateways is a good start. Next-generation web gateways, such as Clearswift’s Secure Web Gateway solution and/or Secure ICAP Gateway can be deployed in both forward- and reverse-proxy modes and can be used to mitigate advanced threats on web pages. Revisiting the infrastructure to segregate public-facing systems, including the backend systems to prevent malware infections from crossing onto other pieces of production networks is also key. Moreover, firms should seek to build a culture of cybersecurity amongst their staff, and ensure that workers can recognize the warning signs of a breach and that the correct protocols for reporting a breach are in place. It’s essential that you enact these changes sooner rather than later, because if you don’t, you may end up paying the piper too.