Originally Posted by
smudge
Aside from the consequences of the breach, the ICO will be looking particularly at whether it feels BA took all reasonable precautions to protect consumer data both before the breach, during the incident, and after. Do I recall there was at least one report on this board of someone actually reporting the potential for a breach to BA and then continuing to find the hole open for quite some time? Was that ever confirmed? I'm sure there is plenty we don't know about this incident, but if BA continued to trade in knowledge of the potential hole in it's security, and if the ICO feels BA didn't do all it could to plug that hole whilst continuing to trade, the ICO will take a very dim view of it.
This is quite likely - BA's payment page loaded scripts from external websites, most likely for marketing purposes. This could be seen and confirmed by anyone who browses their website and looks at their browser's developer tools while doing so. This is a big no-no and it is suspected that this was the method the attackers used. You just do not ever load any scripts that you don't 100% control on your payment page (and even outside your payment page, you ought to be careful about it). Difficult for BA to know when they get compromised with this method, as everything looks the same as before on their end, but they definitely ought to have known that this was bad and that they should've fixed it. This is the kind of thing one finds with the most basic of audits.