[Updated] 2018 data breach : BA fined £20 million
#46
Join Date: Aug 2018
Location: LHR
Programs: BAEC
Posts: 6
XSS vulnerabilities feature in the OWASP Top 10, and are trivial to identify using free web application scanners.
BA are clearly accountable for this. They simply did not care enough to protect our data - and sadly nor do many other major UK organisations...
Recent research published suggests the average FTSE250 organisation exposes 35 different attack surfaces, which when fingerprinted were often found to be using outdated or unsupported web server software.
To reiterate another posts point - if BA have this level of appetite for risk i.e. "Surely that won't happen to us" - What can we expect from their aircraft engineering programme?
BA are clearly accountable for this. They simply did not care enough to protect our data - and sadly nor do many other major UK organisations...
Recent research published suggests the average FTSE250 organisation exposes 35 different attack surfaces, which when fingerprinted were often found to be using outdated or unsupported web server software.
To reiterate another posts point - if BA have this level of appetite for risk i.e. "Surely that won't happen to us" - What can we expect from their aircraft engineering programme?
#47
Suspended
Join Date: Jun 2008
Posts: 2,246
#48
Join Date: Mar 2009
Location: UK
Programs: BA Gold / Hilton Diamond / IHG Diamond Ambassador / Marriot Bonvoy Gold
Posts: 2,527
#49
FlyerTalk Evangelist
Join Date: Nov 2011
Location: Brighton. UK
Programs: BA Gold / VS /IHG Diamond & Ambassador
Posts: 14,176
The ICO won’t like the Cruz comments basically denying any fraud (which are clearly incorrect).
Some contrition is needed from BA not bluster.
Some contrition is needed from BA not bluster.
#50
Join Date: Jul 2005
Location: London, ARN, HEL, ..... or MAN
Programs: BA GGL / GFL, Mucci Diamond!, HH Diamond, Radisson Premium, IHG Gold, Hertz Gold
Posts: 5,873
As I mentioned some months ago when this first happened, the avenue the hackers used was a well known approach in the industry and, indeed, avoiding exactly this was a specific part of the design and penetration testing for a large website I was putting live for a client at the time. BA's approach to payment security wasn't good enough at the time and it's quite right that a detailed investigation by the ICO and others has found issues in their approach. The reason companies go online is generally to save money by allowing customers to "self-service". However doing it properly and legally still requires significant investment and BA were lacking.
#52
Join Date: Sep 2013
Programs: BAEC Gold, EK Skywards (enhanced Blue !), Oman Air Sindbad Gold
Posts: 6,395
In the context of the options available to the Information Commissioner (as per the relevant GPDR formula quoted by FT-er V10 at post # 19), it seems that BA could well get off rather lightly here with a figure of £183m, if - once the appeal is heard - this proposed fine, or perhaps a lesser figure, is eventually imposed.
That said, in many cases involving apparent negligence the exact level of any financial penalty is not in itself the key factor. If medical professionals are found guilty of negligence, it is very often the damage to their reputation and status that becomes the true punishment. Current BA management give every appearance of being less than protective of the the airline’s erstwhile good image, but it could be that in the longer term this image will suffer yet further as a result of the data breach, and in particular the manner in which the airline handled its impact on many customers.
ACAS talks begin today in the hope of averting a threatened strike by BALPA members. This, together with fresh media coverage surrounding the data breach - just when BA were no doubt quietly hoping that the wider world had begun to forget about the incident - is, safe to say, not the ideal backdrop to any ‘Centenary Celebrations’.
That said, in many cases involving apparent negligence the exact level of any financial penalty is not in itself the key factor. If medical professionals are found guilty of negligence, it is very often the damage to their reputation and status that becomes the true punishment. Current BA management give every appearance of being less than protective of the the airline’s erstwhile good image, but it could be that in the longer term this image will suffer yet further as a result of the data breach, and in particular the manner in which the airline handled its impact on many customers.
ACAS talks begin today in the hope of averting a threatened strike by BALPA members. This, together with fresh media coverage surrounding the data breach - just when BA were no doubt quietly hoping that the wider world had begun to forget about the incident - is, safe to say, not the ideal backdrop to any ‘Centenary Celebrations’.
#53
Join Date: Apr 2007
Location: UK/Australia
Programs: BAEC Silver, UA2MM, QF Platinum, VA Platinum., Volare Executive Club
Posts: 2,507
It seems like he should've listened to what his minions were saying... (I imagine).
#54
Suspended
Join Date: May 2011
Location: London
Programs: *A G, OW S.
Posts: 996
As one of the people affected I can only say I'm delighted at the way the ICO has acted. BA need to be held to account for this breach and not walk away having given a glib response (as they did when someone flicked a switch that closed the whole operation down for four days causing chaos for many people) and this fine is small in comparison to their profit margins.
If anyone is interested, I'm signed up to the class action with Hayes Connor, I've found them professional and clear and have no reservations about how they are proceeding.
https://www.hayesconnor.co.uk/
If there is any money to come, I will give it to charity, I don't want or need the money but I do want BA and their cavalier management held to account.
The only other thing I can do, I have and taken 90% of my business elsewhere.
If anyone is interested, I'm signed up to the class action with Hayes Connor, I've found them professional and clear and have no reservations about how they are proceeding.
https://www.hayesconnor.co.uk/
If there is any money to come, I will give it to charity, I don't want or need the money but I do want BA and their cavalier management held to account.
The only other thing I can do, I have and taken 90% of my business elsewhere.
#55
Join Date: May 2014
Posts: 7,212
https://nilf2017.sched.com/speaker/b...ancis.1w8hjegx
It seems like he should've listened to what his minions were saying... (I imagine).
It seems like he should've listened to what his minions were saying... (I imagine).
The problem is that no one is admitting guilt. I haven't heard anyone saying "Guys, we screwed up". Alex is, to this day, adamant that his "Be a dragon" thing was a good idea.
#56
Join Date: Nov 2012
Location: Manchester but from Yorkshire better known as Gods country
Programs: BA Gold, , Sandals plat
Posts: 839
Wouldn't a better punishment be to set a figure (fixed fine) to cover the inconvenience to the individual and for the company involved (in this case IAG) to be responsible for any financial losses arising from the breach.
#57
Join Date: Aug 2012
Location: Provincie Antwerpen, Vlaanderen, België
Programs: MUCCI Gold
Posts: 2,512
#58
Join Date: Jan 2012
Location: Northumberland
Posts: 151
The "no evidence of fraud" point by Álex Cruz is difficult to square with the evidence. I have sent to High Value Customer management a detailed list of the various fraudsters, all over the world, who have benefited from my Amex and the Bank of Ireland cards. Those cards appear on a list available for sale on the Dark Web. I am one of their customers, and I was a victim of fraud.
Rant time: lawyers will make a nice bit of dosh arguing about the size of the £183m. The £183m number will more than likely be reduced in size. Lawyers will then make a nice bit of dosh arguing over that number. The people impacted will likely end up with diddly squat and the government will more than likely have found a new form of tax revenue.
My approach is similar to BA: I couldn't care less.
Last edited by abitwild; Jul 8, 2019 at 6:06 am
#60
Join Date: May 2006
Location: 5 miles from EMA
Programs: BD, BAEC Pleb, VS Pleb, Accor Pleb, HHonors Gold, Big White Season Pass
Posts: 5,902
I also bailed on SPG and joined the Hayes Connor action. I've found them to be excellent, clear about what's involved and up front about the costs.
I've taken my next long haul flights to KLM, and I can't wait to try something different.
Alex IMO is being disingenuous. I'm sure that Amex would be delighted to confirm just how much attempted fraud they stopped as a result of this. I also found out from Amex way before BA deigned to send anything out.
I've taken my next long haul flights to KLM, and I can't wait to try something different.
Alex IMO is being disingenuous. I'm sure that Amex would be delighted to confirm just how much attempted fraud they stopped as a result of this. I also found out from Amex way before BA deigned to send anything out.