[Updated] 2018 data breach : BA fined £20 million
Jul 8, 2019, 1:07 am
#16
Moderator, Iberia Airlines, Airport Lounges, and Ambassador, British Airways Executive Club
Join Date: Feb 2010
Programs: BA Lifetime Gold; Flying Blue Life Platinum; LH Sen.; Hilton Diamond; Kemal Kebabs Prized Customer
Posts: 63,804
Here is the press release made by the Information Commissioner's Office, the organisation which has proposed this fine:
Following an extensive investigation the ICO has issued a notice of its intention to fine British Airways £183.39M for infringements of the General Data Protection Regulation (GDPR).
The proposed fine relates to a cyber incident notified to the ICO by British Airways in September 2018. This incident in part involved user traffic to the British Airways website being diverted to a fraudulent site. Through this false site, customer details were harvested by the attackers. Personal data of approximately 500,000 customers were compromised in this incident, which is believed to have begun in June 2018.
The ICO’s investigation has found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information.
Information Commissioner Elizabeth Denham said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
British Airways has cooperated with the ICO investigation and has made improvements to its security arrangements since these events came to light. The company will now have opportunity to make representations to the ICO as to the proposed findings and sanction.
ICO has been investigating this case as lead supervisory authority on behalf of other EU Member State data protection authorities. It has also liaised with other regulators. Under the GDPR ‘one stop shop’ provisions the data protection authorities in the EU whose residents have been affected will also have the chance to comment on the ICO’s findings.
The ICO will consider carefully the representations made by the company and the other concerned data protection authorities before it takes its final decision.
The proposed fine relates to a cyber incident notified to the ICO by British Airways in September 2018. This incident in part involved user traffic to the British Airways website being diverted to a fraudulent site. Through this false site, customer details were harvested by the attackers. Personal data of approximately 500,000 customers were compromised in this incident, which is believed to have begun in June 2018.
The ICO’s investigation has found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information.
Information Commissioner Elizabeth Denham said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
British Airways has cooperated with the ICO investigation and has made improvements to its security arrangements since these events came to light. The company will now have opportunity to make representations to the ICO as to the proposed findings and sanction.
ICO has been investigating this case as lead supervisory authority on behalf of other EU Member State data protection authorities. It has also liaised with other regulators. Under the GDPR ‘one stop shop’ provisions the data protection authorities in the EU whose residents have been affected will also have the chance to comment on the ICO’s findings.
The ICO will consider carefully the representations made by the company and the other concerned data protection authorities before it takes its final decision.
Jul 8, 2019, 1:11 am
#18
Join Date: Aug 2012
Location: Provincie Antwerpen, Vlaanderen, België
Programs: MUCCI Gold
Posts: 2,512
I don't think that there is any great mystery around the size of the fine. GDPR allows for a maximum of 20M EUR or up to 4% of turnover in the preceding financial year. For a company the size of BA, this is going to be a big number.
Jul 8, 2019, 1:11 am
#19
Join Date: May 2014
Posts: 7,237
Those who are really responsible for the data breach - as well as the IT outage and the myriad of smaller issues snags and problems BA has faced in the last 3 years - are those who decided to go ahead with the IAG GBS plan: Willie Walsh, CEO. Enrique Dupuy, CFO. Bill Francis, CIO. One of the mysteries I've never quite come to understand is how on Earth did Bill retain his job after the massive catalogue of failures he's racked since the inception of IAG GBS.
Jul 8, 2019, 1:16 am
#20
Join Date: Jul 2014
Programs: Mucci de l'Arbitrage
Posts: 927
AC comments: “We have found no evidence of fraud/fraudulent activity on accounts linked to the theft”
That is of course a correct statement given he has no access to any bank account or credit card data. The only accounts he has access to are BAEC which were found not to be compromised.
So, factual: yes, disingenuous: yes, borderline dishonest: yes.
That is of course a correct statement given he has no access to any bank account or credit card data. The only accounts he has access to are BAEC which were found not to be compromised.
So, factual: yes, disingenuous: yes, borderline dishonest: yes.
Jul 8, 2019, 1:18 am
#21
Ambassador: Emirates Airlines
Join Date: Sep 2004
Location: Manchester, UK
Posts: 18,613
That's plainly BS, and the line they've been peddling ever since this occurred. Maybe they should just apologise, pay the fine and move on?
Jul 8, 2019, 1:23 am
#23
Join Date: Apr 2005
Location: Windsor
Programs: BAEC Gold
Posts: 909
Agreed, because how would BA know whether there has been any fraud as a result of the interception of credit card, address and other personal data?
Jul 8, 2019, 1:25 am
#24
Join Date: Aug 2013
Posts: 8,770
With 45 million passengers per year, it’s only an extra £4 on every ticket. I do wonder what the point of these massive fines are when it is easy for a major company to pass the (minor) cost on to a large number of consumers. Surely better to fine board members or executives.
Jul 8, 2019, 1:26 am
#25
Join Date: Apr 2005
Location: Windsor
Programs: BAEC Gold
Posts: 909
Jul 8, 2019, 1:29 am
#26
Join Date: Jan 2016
Location: LON
Programs: BAEC
Posts: 3,916
Oh and BA would have been and may still be paying penalties on every card transaction for quite some while due to the loss of cardholder data, the banks have had BA goolies in a vice for quite some time over this as contracturally they would have been over a barrel under the breach of the PCI regulations.
£183m announced today is not the whole story.
Jul 8, 2019, 1:29 am
#27
Moderator, Iberia Airlines, Airport Lounges, and Ambassador, British Airways Executive Club
Join Date: Feb 2010
Programs: BA Lifetime Gold; Flying Blue Life Platinum; LH Sen.; Hilton Diamond; Kemal Kebabs Prized Customer
Posts: 63,804
So just to explain that one a bit more, IAG Global Business Services is now responsible for procurement, central finance and IT services to IAG's airlines. It's office are just to the north of central Kraków (currently, they may be moving elsewhere in the city) but with staff in London, Dublin and Madrid. You will sometimes see their staff whizzing around Europe on BA's aircraft, they seem to come equipped with ThinkPads brandishing the IAG logo. They have a Security Operations Centre, and that got additional resources in the immediate aftermath of the hack.
The "no evidence of fraud" point by Álex Cruz is difficult to square with the evidence. I have sent to High Value Customer management a detailed list of the various fraudsters, all over the world, who have benefited from my Amex and the Bank of Ireland cards. Those cards appear on a list available for sale on the Dark Web. I am one of their customers, and I was a victim of fraud.
The "no evidence of fraud" point by Álex Cruz is difficult to square with the evidence. I have sent to High Value Customer management a detailed list of the various fraudsters, all over the world, who have benefited from my Amex and the Bank of Ireland cards. Those cards appear on a list available for sale on the Dark Web. I am one of their customers, and I was a victim of fraud.
Jul 8, 2019, 1:34 am
#28
Join Date: Oct 2006
Location: London
Programs: Many. Too many. I came here to cut them down. I failed.
Posts: 2,999
Well, CWS has just beaten me to my point.
Is BA really arguing that? I've been hit by fraudulent transactions on my impacted AMEX last month, the first time I've ever had it happen..
Surely this can be simply proven? I'm keen for BA to avoid the pointless denials and get on with making things right.
He (Cruz) said no evidence had been found of any fraudulent activity on accounts linked to the theft.
Surely this can be simply proven? I'm keen for BA to avoid the pointless denials and get on with making things right.
Jul 8, 2019, 1:40 am
#30
Join Date: Apr 2005
Location: Windsor
Programs: BAEC Gold
Posts: 909
they won't get the individual details but they will be getting a summary from their acquiring (card transactions) bank and the card brands that are dealing with a pattern of fraud that points back to cardholder data that was known to the compromised.
Oh and BA would have been and may still be paying penalties on every card transaction for quite some while due to the loss of cardholder data, the banks have had BA goolies in a vice for quite some time over this as contracturally they would have been over a barrel under the breach of the PCI regulations.
£183m announced today is not the whole story.
Oh and BA would have been and may still be paying penalties on every card transaction for quite some while due to the loss of cardholder data, the banks have had BA goolies in a vice for quite some time over this as contracturally they would have been over a barrel under the breach of the PCI regulations.
£183m announced today is not the whole story.