Data leak costs £183 million

July 10, 2019

The British Information Commissioner’s Office (ICO), reported that it is going to fine British Airways £183 million for last year’s data loss. For some perspective, that’s several hundred times Facebook’s EU fine for the Cambridge Analytica case. In this post, we look at what went wrong, why there was such a difference in fines, and why it is a good idea to think about data protection in advance.

The investigation concluded that British Airways had been attacked by the Magecart cybercrime group.

The British Airways data leak — what went wrong?

Last fall, British Airways reported that from August 21 to September 5, outside malefactors had access to the data of users who bought or changed tickets through the company’s website or mobile app. The attackers stole information from approximately 500,000 customers. The information comprised everything that the victims entered into the fields of online forms: usernames and passwords, names and addresses, banking card data including CVC codes, and so on.

The investigation concluded that British Airways had been attacked by the Magecart cybercrime group, known for injecting malicious scripts into e-commerce websites to steal financial data. The attack on British Airways was no exception — the attackers infected the company’s website. Users of the mobile application were affected only because the app loaded some functionality directly from website.

GDPR fine

Although British Airways reported the incident in a timely manner and helped with the investigation, the company was always going to have to pay a fine. According to GDPR regulations, a business that processes European citizens’ personal data must do everything possible to ensure that data’s safety. The company’s website, as the investigation found, was not protected well enough. After the incident, the carrier naturally introduced some new defensive measures, but that does not change its responsibility for the former incident.

Facebook, which leaked data from about 87 million users, faced only a £500,000 fine in Europe. According to the requirements of the 1998 Data Protection Act — pre-GDPR — that was the maximum allowable fine.

Implementing security costs less than a potential fine

BA’s potential fine for last year’s leak is not set in stone: The ICO will consider applications from other European data protection authorities and from British Airways. Nevertheless, the amount is indicative. Implementing appropriate security measures and preventing such incidents is far less expensive. If you are processing the personal information of European users, especially such information as banking payment details, we recommend that you take action immediately and do not delay in introducing reliable security methods.

Preemptive security is especially important for e-commerce or online banking services, which need to pay special attention to protecting their websites from online skimming scripts. Inside our Kaspersky Fraud Prevention platform is a solution called Automated Fraud Analytics that allows you to analyze events occurring on a webpage during a user’s session. It can identify various online threats, including malicious script injections. You can learn more about the solution in the Fraud Prevention section of our corporate website.