- British Airways has violated data protection laws and has been unable to detect the attack for more than two months.
- Sensitive information remains unencrypted
British Airways was fined £20 million ($26 million) for a data breach that resulted in the hacking of its systems and the theft of personal data and payment cards of 400,000 customers.
This is the highest fine ever imposed by the Office of the Information Commissioner (ICO) in the Cambridge analyst scandal for only £500,000 on Facebook’s wrist.
But many will think British Airways went unpunished and had to expect a fine of £183 million for one offence in 2018.
The fine imposed on British Airways may be the highest in history, but it is still 90% lower than it could be.
In announcing the final fine, the ICO stated that it had taken into account the British Airways offices and the economic impact of COWID-19 on their operations.
Read between the lines: If British Airways had not been so affected by the global pandemic, the penalty it would have received for its massive safety failure would have been lost.
And the failure of British Airways was monumental.
The calculation errors identified by the airline in the processed ICO incident report include errors:
- the non-application of the use of multi-factor authentication (MFA) for accounts that allowed remote access to British Airways’ internal systems.
- The inability to prevent the exploitation of Citrix vulnerability, which allowed an attacker to execute unauthorized tools and scripts to perform a network detection.
- Storage of registration information (username and password) for the domain administrator’s privileged account outside, giving the attacker virtually unlimited access to the affected compromised domain.
Perhaps most surprisingly, British Airways has stored the customer’s payment card details – including CVV numbers – as simple text files.
Some 108,000 payment cards were at the disposal of an attacker, storing British Airways’ data without any form of encryption.
This security flaw, coupled with the installation of a malicious Magecart skimming code on the payment page of an airline that has stolen the personal and payment card details of hundreds of thousands of travellers when booking on BA’s website and mobile application, has finally resulted in a record fine for today.
Yes, GBP 20 million is no more than the GBP 183 million British Airways originally had to pay. But it is still the largest fine ever paid for data security breaches in the UK and it is hoped that this will force other companies to do more to ensure the security of their systems.
*** This is a syndicated blog from the HOTforSecurity blogger network, written by Graham Clayley. The original message can be found at: https://hotforsecurity.bitdefender.com/blog/having-saved-credit-card-details-in-plaintext-since-2015-british-airways-is-fined-20-million-24340.html.