ICO Announce the Largest Fine Ever…. For Now

GDPR starts to bite

On July 8, 2019 the Information Commissioners Office (ICO) announced its intention to fine British Airways (BA) £183 million after hackers stole the personal data of around half a million customers. This is the largest fine ever imposed for a data breach and was the first under the General Data Protection Regulation (GDPR) introduced in May 2018.

Just two days later, the ICO announced that the international hotel group Marriott would be fined almost £100 million after hackers stole the records of 339 million guests. This related to a submission to the ICO by Marriott in November 2018 that personal data including credit card details, passport numbers and dates of birth had been stolen in a vast global hack.

With GDPR now firmly in place and the ICO showing it has the will to use its full powers, these could be the first of many big fines handed out to companies for data breaches. Cybersecurity has never been more important. Getting it right is a continuous process, and as threats and attacks evolve, so must organisations. Systems need to be secure, and tighter regulations and legislation need to be adhered to. Getting this wrong can have a significant impact on an organisation, financially and reputationally.

The Information Commissioner, Elizabeth Denham stated ‘People’s personal data is just that – personal…. The law is clear, when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.’                   

The Big BA Data Breach

The BA breach took place between the August 21, 2018 and September 5, 2018. During this period hackers stole personal and financial details from customers. This data included names, email addresses and credit card numbers, including expiration dates and the three-digit CVV code required to authorise payments.

The £183 million fine amounts to about 1.5 percent of British Airways’ £11.6 billion worldwide turnover last year.

Under GDPR, fines can now be up to four per cent of annual global revenue or €20 million (whichever is greater). Prior to GDPR, the largest penalty the ICO had ever given out was a relatively modest £500,000 which was imposed on Facebook for its role in the Cambridge Analytica data-harvesting scandal.

Protecting customers’ data security

The ICO has found that BA and Marriott did not meet the GDPR principle that requires data to be ‘processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.’

Although BA has only released limited technical details about the breach, the ICO said its extensive investigation found that the incident involved customer information being harvested after being diverted to a fraudulent website. Technical experts believe this was example of cross-site scripting (XSS) which sent data to baways.com, a similar-sounding website. It is believed it was exploited by a hacking group call Magecart via a vulnerability in third-party JavaScript used on the website.

Why ignoring cybersecurity is a false economy

Effective processes and monitoring would have picked this up quickly, and as the cost of cybercrime increases and attacks become ever-more sophisticated, implementing effective cyber security is critical to protect personal, and commercial information within organisations. Unfortunately for BA and Marriott, the amount they have been fined is likely to be far in excess of what it would have cost to mitigate the vulnerabilities to begin with.

Although data breaches are regularly in the press, and despite six-figure fines being handed to companies such as Carphone Warehouse, Uber, and the CPS, it appears lessons are not being learned. ICO investigations have led them to comment that multiple penalty notices have been issued to companies for the same or very similar non-compliances.

The most common cybersecurity mistakes

Common failures include inadequate policies and procedures on securing data, poor standards of security training, and little or no training in data protection and secure information sharing for staff.

By scrutinising good practice within industries, the ICO has also identified common technical practices that should be followed. Failure to follow good practice can be easily identified. It includes lack of appropriate risk assessments and appreciation of risk within the organisation, use of unsupported legacy software, poor patching processes and lack of annual penetration tests.

How Cyberfort can help you

Cyberfort can support you and your business to address any areas of weakness and protect your data in this changing world, guiding you on your path to become cyber resilient.

We ADVISE, DETECT, and DEFEND our clients from cybersecurity threats with an end-to-end data security proposition. The businesses within Cyberfort Group are best-in-breed, and can support you with governance, risk and compliance management, penetration testing and secure data hosting.

As cybersecurity continues to move up business risk registers, Cyberfort is perfectly placed to support companies at all stages of cyber maturity and provide solutions that can adapt and evolve as the risk and regulatory landscapes change.