[Updated] 2018 data breach : BA fined £20 million
#76
Join Date: Jun 2018
Programs: BAEC Silver
Posts: 160
Recent research published suggests the average FTSE250 organisation exposes 35 different attack surfaces, which when fingerprinted were often found to be using outdated or unsupported web server software.
BA has to do better on IT but saying things like XSS is trivial to fix is to easy. Also determined hackers (and 500.000 creditcards/other info will make people determined) can get in to a lot of systems, sometimes via bugs in software, sometimes via poorly programmed applications and often due to human error. Wheter it is clicking on suspicous links, not updateing software, too simple passwords etc. Builing a safe and usable IT infrastructure is hard (again not to defend BA or downplay this incident).
Last edited by stefan_nl; Jul 8, 2019 at 5:32 am
#77
Join Date: Sep 2003
Location: OSL
Posts: 2,638
???
Clearly any hackers if they could be found, would be arrested with criminal charges.
BA, as any company which handles financial data, has a responsibility to keep this data safe. Clearly they don't. This fine is simply a measure to apply this. To say this is unfair would be absurd - absurd would be random fines applied to companies.
I think it is just a shame that the fine wasn't higher as this will probably be negotiated down (quick and early payment, etc...).
Anyone thinking this is anti-BA, anti-capitalist, etc... would need to take a long look at themselves. They've clearly committed malpractice and for that there should be retributions. Their ability to self-govern and impose proper controls clearly has failed.
Clearly any hackers if they could be found, would be arrested with criminal charges.
BA, as any company which handles financial data, has a responsibility to keep this data safe. Clearly they don't. This fine is simply a measure to apply this. To say this is unfair would be absurd - absurd would be random fines applied to companies.
I think it is just a shame that the fine wasn't higher as this will probably be negotiated down (quick and early payment, etc...).
Anyone thinking this is anti-BA, anti-capitalist, etc... would need to take a long look at themselves. They've clearly committed malpractice and for that there should be retributions. Their ability to self-govern and impose proper controls clearly has failed.
#78
Join Date: Jun 2014
Location: London
Programs: BA GGL
Posts: 1,405
I never bothered joining in any lawsuits. I got my fraudulent transactions annulled, got a new Amex, and moved on. Same as I didn't bother replying to the roughly 1,000,000 PPI claim things I got sent. The biggest winners from all law suits are always lawyers. Life is too short.
#80
Join Date: Mar 2015
Programs: BA GGL
Posts: 2,447
1. Deserves to be fined (well, to a sensible degree).
2. Serves it right for outsourcing things poorly.
3. However, the fine is too high IMO - none of the money goes to those breached, it goes in some other pot AFAIK.
4. There's likely to be a knock-on effect, because the company will have less money. I s'pose BA is no longer investing 6.5bn, eh? Maybe 6.3bn? Hmmm.
4. I worry about what this all means for the customer at the end of the day. And I don't think it's likely to be positive.
2. Serves it right for outsourcing things poorly.
3. However, the fine is too high IMO - none of the money goes to those breached, it goes in some other pot AFAIK.
4. There's likely to be a knock-on effect, because the company will have less money. I s'pose BA is no longer investing 6.5bn, eh? Maybe 6.3bn? Hmmm.
4. I worry about what this all means for the customer at the end of the day. And I don't think it's likely to be positive.
#82
Join Date: May 2006
Location: 5 miles from EMA
Programs: BD, BAEC Pleb, VS Pleb, Accor Pleb, HHonors Gold, Big White Season Pass
Posts: 5,902
#83
Join Date: Oct 2015
Location: Vale of Glamorgan
Programs: BAEC Gold
Posts: 2,989
However, I see little point in fining companies - if the directors and senior management were held personally liable then we'd see a sudden change in attitude and investment.
#84
Join Date: Sep 2003
Location: OSL
Posts: 2,638
1. Deserves to be fined (well, to a sensible degree).
2. Serves it right for outsourcing things poorly.
3. However, the fine is too high IMO - none of the money goes to those breached, it goes in some other pot AFAIK.
4. There's likely to be a knock-on effect, because the company will have less money. I s'pose BA is no longer investing 6.5bn, eh? Maybe 6.3bn? Hmmm.
4. I worry about what this all means for the customer at the end of the day. And I don't think it's likely to be positive.
2. Serves it right for outsourcing things poorly.
3. However, the fine is too high IMO - none of the money goes to those breached, it goes in some other pot AFAIK.
4. There's likely to be a knock-on effect, because the company will have less money. I s'pose BA is no longer investing 6.5bn, eh? Maybe 6.3bn? Hmmm.
4. I worry about what this all means for the customer at the end of the day. And I don't think it's likely to be positive.
What is the commensurate fine for you?
#85
Join Date: Apr 2015
Programs: Some
Posts: 5,232
"We have found no evidence of fraud/fraudulent activity on accounts linked to the theft" is a comically mealy-mouthed statement in response to this and makes it seem like BA don't even understand the basic implications of what it means to hold someone's credit card details. Totally pathetic.
#86
Join Date: May 2012
Location: Munich, Algarve, Sussex or S.F Bay Area
Programs: Mucci, BA Gold, A3*Gold, AA Plat, HH Gold, IHG Plat Amb, Marriott Plat
Posts: 4,158
"We have found no evidence of fraud/fraudulent activity on accounts linked to the theft" is a comically mealy-mouthed statement in response to this and makes it seem like BA don't even understand the basic implications of what it means to hold someone's credit card details. Totally pathetic.
#87
Join Date: Jun 2015
Location: LHR, LGW
Programs: BAEC
Posts: 3,411
BA really need some PR lessons or at least employ someone with PR experience.
#88
Ambassador: Emirates Airlines
Join Date: Sep 2004
Location: Manchester, UK
Posts: 18,600
It appears it was some sort of inside job (somebody got direct access to the server), so not much hacking involved. It was the time it took BA to notice that's the issue. And even when they did notice, their audit trail couldn't detect who had made the change. Assuming, of course, that the perpetrator hasn't actually been caught and it's not being reported.
#89
Join Date: Jan 2016
Location: LON
Programs: BAEC
Posts: 3,911
It's the aquiring bank (the one that BA has a contract with to process card transactions for them) that makes the assessment whether a customer like BA is compliant or not according to the standards published by the PCI council. At the level of transactions BA will be processing there are professional ISA or QSA assessors usually engaged on both sides - merchant and aquirer. The aquiring bank in turn reports this to the card brands that require the PCI standards for their card data: Visa, Mastercard, Amex, Discover, JCB. What is interesting is as far as I know BA never stopped taking card payments so some very very senior conversations and undertakings probably happened at global level in the aftermath of this incident - the typical response would be to cut the merchant off preventing them from processing card if such a signficant breach were discovered.
#90
Join Date: Apr 2005
Location: UK
Programs: IC Hotels Spire, BA Gold
Posts: 8,667
I didn't suffer any actual financial loss but it certainly was an annoying hassle. I had a phone call one day in mid-December last year from my CC provider saying they were going to suspend my card immediately because of possible fraudulent activity from the BA data breach. I certainly fell into the range of at risk dates that were published, having booked around 4-5 flights with BA over that period with my card. However to be fair, I didn't notice anything erroneous appear on my card at any time.
One inconvenience was the CC provider said a replacement would take 2-3 working days but in fact it took 7-8 days (probably due to the Christmas post) so I missed out on alot of valuable points earning expenditure. The biggest inconvenience was having to re-enter the new card details to all organisations where it is stored to be able to make hotel, car park, airline (not just BA) reservations quickly. A key insurance policy covering my daughter's musical instruments that was on an auto-renew on the now cancelled card lapsed and for a few days these items were not insured, right at the time she was travelling with them so at the highest risk.
Was just all a PITA and the time that had to be taken to update all organisations with the card - but some would say time is money!
One inconvenience was the CC provider said a replacement would take 2-3 working days but in fact it took 7-8 days (probably due to the Christmas post) so I missed out on alot of valuable points earning expenditure. The biggest inconvenience was having to re-enter the new card details to all organisations where it is stored to be able to make hotel, car park, airline (not just BA) reservations quickly. A key insurance policy covering my daughter's musical instruments that was on an auto-renew on the now cancelled card lapsed and for a few days these items were not insured, right at the time she was travelling with them so at the highest risk.
Was just all a PITA and the time that had to be taken to update all organisations with the card - but some would say time is money!