British Airways (BA), the largest airline in the United Kingdom founded in 1974, faced a massive breach of customer data back in 2018. Customers who booked flights using the BA website or application were redirected to a malicious website controlled by hackers. Information that was taken included names, addresses, usernames, passwords, credit card details, and other important information required for travelling.
The Information Commissioner’s Office (ICO), UK’s data protection regulator, investigated the way hackers accessed the information of more than half a million BA customers and found out that a hacking group called Magecart was responsible for stealing this sensitive data. The ICO believed that the incident lasted for three months starting in June of 2018 due to British Airways’ poor information security system.
Magecart is a consortium of malicious hacker groups specializing in stealing credit card details from unsecured payment forms on websites using a system called Magento. This attack works through compromising a third-party software from a value-added resellers systems integrator or infected an industrial process unbeknownst to IT.
Researchers believed that Magecart injected 22 lines of code which diverted crucial payments to cybercriminals through another malicious website. This hacking group created a similar named website called baways.com which was used as storage for the stolen information sent from the third-party piece of JavaScript called Modernizr. The Modernizr is a well-known information-stealing javascript, but BA had not updated its system since 2012.
Andrew Dwyer, a cybersecurity researcher from the University of Oxford, said that a singular error could be trivial since it was only one script that was compromised yet it was used to exfiltrate customer’s data. In addition to that, it was not found immediately, and the script had not been updated which suggests a more systemic issue of IT governance at BA. Effective monitoring would have picked up the error quickly but was missed for three months.
As a result of this incident, the Information Commissioner’s Office (ICO) has announced its plan to impose a fine against BA amounting to £183 million or 1.5 percent of BA’s global turnover. The ICO said that it was the biggest penalty it had handed out and the first to be made public under new rules. However, this announcement of ICO is not absolute but rather a notice of intention that they would like to impose a penalty against BA if the organization was found to be responsible for negligence in the handling of customer information.
According to Rowenna Fielding, senior data protection lead at data protection consultants Protecture, for the ICO to enforce against an organization, they must be satisfied that the organization did not take appropriate technical and organizational measures to secure the data. Even if the penalty goes ahead, BA can still appeal the decision. Though it is impossible for BA to lower its expenditure required to have patched the vulnerability in the first place. Eerke Boiten,
professor of cybersecurity at DeMontfort University, said that the actual expenditure on technical solutions and staff time to implement the right information security to prevent this will not have been near a nine-figure sum like the fine.
According to Elizabeth Denham, information commissioner, when an organization fails to protect customer’s personal data from loss, damage or theft, it causes more than an inconvenience. She also added that the law is clear, when you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from her office to check if they have taken appropriate steps to protect fundamental privacy rights.
The watchdog of the ICO said BA had cooperated with its investigation and made improvements to its security system.
Tim Turner, Manchester-based data protection consultant, believed that there’s no guarantee that the penalty will be this big, or that it will happen at all. He added that the important thing to remember is that this is the first draft, every penalty involves a notice of intent and the organization has the right to make representations.
