British Airways plane

British Airways Hit With Record $229 Million Fine After 2018 Hack

The airline, along with Mariott International, is facing harsher penalties for not properly protecting customers’ personal data prior to cyberattacks.

British Airways, the second largest airline in the United Kingdom, could have to pay a record fine of over 183 million pounds, or about $229 million, for a hack that exposed the private data of hundreds of thousands of customers. The penalty is the largest ever issued by the Information Commissioner’s Office, the British agency tasked with protecting citizens’ data privacy.

An investigation conducted by the ICO found that the airline’s lack of security measures allowed for hackers to “harvest” personal data of 500,000 customers for several months in the summer of 2018. The incident involved diverting customers from the British Airways website to a fraudulent site where users entered their names, email addresses, travel details and credit card information.

Since the attack, the company has made improvements to its security operation and cooperated with the investigation, according to the ICO.

“People’s personal data is just that – personal,” ICO commissioner Elizabeth Denham said in a Monday statement. “When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it.”

She added: “Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."

The announcement came in the wake of new regulations in the U.K., introduced last year, that make it mandatory for companies to report security breaches to the ICO. The changes to the General Data Protection Regulation (GDPR) also increased the maximum penalty to 4 percent of the corporation’s turnover, or yearly net sales. While the fine on British Airways was the largest ever levied by the agency, it was only about 1.5 percent of the airline’s turnover in 2017, according to the BBC.

“If there was any doubt that regulators would enforce GDPR, the ICO’s decision to hand down an unprecedented, if unexpectedly, stiff penalty will surely put that to rest and leave all companies under GDPR anxious about data security and privacy,” said Alex Calic, the strategic technology partnerships officer for The Media Trust.

It doesn’t look like the regulator is slowing down anytime soon. On Tuesday, the ICO announced its intention to fine Mariott International over 99 million pounds, or $124 million, for a data breach that led to the exposure of 339 million sensitive guest records, 30 million of which were related to European residents.

The ICO investigators concluded that Mariott failed to undertake “sufficient due diligence” when it bought Starwood, a group of hotels that had its reservation database hacked in 2014, eventually exposing the data of over 500 million guests. The attack was only discovered and reported to the regulator in November.

Tim Erlin, the vice president of product management and strategy at cybersecurity company Tripwire, said the regulations “walk a fine line” between improving security and blaming the victim of criminal activity.

“In order for GDPR to remain effective, the supervisory authorities have to levy fines appropriately, and specifically in cases where clear negligence was present,” Erlin said. “It’s fair to expect organizations to safeguard sensitive data, but even an organization delivering above average protection can fall victim to a sophisticated attacker. Very simply, cybersecurity isn’t a solved problem.”

Both companies will have the opportunity to argue for a reduction in the fine before the ICO makes its final decision. Regardless of the outcome, security experts say the severity of the British Airways penalty should be a wake-up call to companies about the importance of data security.

“The message is clear,” Calic said. “If you collect consumer data, you’d better make sure it’s safe and know who has access to it.”

Featured

  • Evolving Cybersecurity Strategies: Uniting Human Risk Management and Security Awareness Training

    Organizations are increasingly turning their attention to human-focused security approaches, as two out of three (68%) cybersecurity incidents involve people. Threat actors are shifting from targeting networks and systems to hacking humans via social engineering methods, living off human errors as their most prevalent attack vector. Whether manipulated or not, human cyber behavior is leveraged to gain backdoor access into systems. This mainly results from a lack of employee training and awareness about evolving attack techniques employed by malign actors. Read Now

  • Report: 1 in 3 Easily Exploitable Vulnerabilities Found on Cloud Assets

    CyCognito recently released new research highlighting critical security vulnerabilities across cloud-hosted assets, revealing that one in three easily exploitable vulnerabilities or misconfigurations are found on cloud assets. As organizations increasingly shift to multi-cloud strategies, the findings underscore significant security gaps that could provide attackers with potential footholds into networks. Read Now

  • Built for Today, Ready for Tomorrow

    Selecting the right VMS is critical for any organization that depends on video surveillance to ensure safety, security and operational efficiency. While many organizations focus on immediate needs such as budget and deployment size, let us review some of the long-term considerations that can significantly impact a VMS's utility and flexibility. Read Now

  • Paving the Way to Smart Buildings

    In today's rapidly evolving security landscape, the convergence of on-prem, edge and cloud technologies are critical. The physical security landscape is undergoing a profound transformation, driven by the rapid digitalization of buildings and the evolving needs of modern organizations. As the buildings sector pivots towards smart, AI and data-driven operations, the integration of both edge and cloud technology has become crucial. Read Now

  • The Cybersecurity Time Bomb

    If you work in physical security, you have probably seen it: a camera, access control system, or intrusion detection device installed years ago, humming along without a single update. It is a common scenario that security professionals have come to accept as "normal." But here is the reality: this mindset is actively putting organizations at risk. Read Now

New Products

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame.

  • Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.

    Connect ONE®

    Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.

  • Unified VMS

    AxxonSoft introduces version 2.0 of the Axxon One VMS. The new release features integrations with various physical security systems, making Axxon One a unified VMS. Other enhancements include new AI video analytics and intelligent search functions, hardened cybersecurity, usability and performance improvements, and expanded cloud capabilities