stefan_nl

While true that XSS is in the top 10 of OWASP and can be trivial to detect it is not a given. XSS can be extremly hard to detect and fix.

Fingerprinting and such tools also give a lot of false positives.

BA has to do better on IT but saying things like XSS is trivial to fix is to easy. Also determined hackers (and 500.000 creditcards/other info will make people determined) can get in to a lot of systems, sometimes via bugs in software, sometimes via poorly programmed applications and often due to human error. Wheter it is clicking on suspicous links, not updateing software, too simple passwords etc. Builing a safe and usable IT infrastructure is hard (again not to defend BA or downplay this incident).

dodgeflyer

???

Clearly any hackers if they could be found, would be arrested with criminal charges.


BA, as any company which handles financial data, has a responsibility to keep this data safe. Clearly they don't. This fine is simply a measure to apply this. To say this is unfair would be absurd - absurd would be random fines applied to companies.

I think it is just a shame that the fine wasn't higher as this will probably be negotiated down (quick and early payment, etc...).

Anyone thinking this is anti-BA, anti-capitalist, etc... would need to take a long look at themselves. They've clearly committed malpractice and for that there should be retributions. Their ability to self-govern and impose proper controls clearly has failed.

snuffi

I never bothered joining in any lawsuits. I got my fraudulent transactions annulled, got a new Amex, and moved on. Same as I didn't bother replying to the roughly 1,000,000 PPI claim things I got sent. The biggest winners from all law suits are always lawyers. Life is too short.

pacenotes

I hope AC can find his hi vis for the cameras for the TV cameras this time.

mmxbreaks

1. Deserves to be fined (well, to a sensible degree).
2. Serves it right for outsourcing things poorly.
3. However, the fine is too high IMO - none of the money goes to those breached, it goes in some other pot AFAIK.
4. There's likely to be a knock-on effect, because the company will have less money. I s'pose BA is no longer investing 6.5bn, eh? Maybe 6.3bn? Hmmm.
4. I worry about what this all means for the customer at the end of the day. And I don't think it's likely to be positive.

bisonrav

Perfectly reasonable for BA to play a straight bat during the process of examination. Now time for an apology and some gestures of contrition.

Tiger_lily

Article 82 says that you can claim for non-material loss

Misco60

The fine needs to be high enough to encourage corporations to change their lax attitude toward data security.

However, I see little point in fining companies - if the directors and senior management were held personally liable then we'd see a sudden change in attitude and investment.

dodgeflyer

Hasn't it now been proven that BAs 6.5 is somewhat gobblygock? No differentiation between Opex and Capex; nothing whether it is list pricing or IAG pricing. So sure, it'll now be 6.3bn.

What is the commensurate fine for you?

lost_in_translation

"We have found no evidence of fraud/fraudulent activity on accounts linked to the theft" is a comically mealy-mouthed statement in response to this and makes it seem like BA don't even understand the basic implications of what it means to hold someone's credit card details. Totally pathetic.

Tafflyer

rockflyertalk

DYKWIA

It appears it was some sort of inside job (somebody got direct access to the server), so not much hacking involved. It was the time it took BA to notice that's the issue. And even when they did notice, their audit trail couldn't detect who had made the change. Assuming, of course, that the perpetrator hasn't actually been caught and it's not being reported.

plunet

It's the aquiring bank (the one that BA has a contract with to process card transactions for them) that makes the assessment whether a customer like BA is compliant or not according to the standards published by the PCI council. At the level of transactions BA will be processing there are professional ISA or QSA assessors usually engaged on both sides - merchant and aquirer. The aquiring bank in turn reports this to the card brands that require the PCI standards for their card data: Visa, Mastercard, Amex, Discover, JCB. What is interesting is as far as I know BA never stopped taking card payments so some very very senior conversations and undertakings probably happened at global level in the aftermath of this incident - the typical response would be to cut the merchant off preventing them from processing card if such a signficant breach were discovered.

BOH

I didn't suffer any actual financial loss but it certainly was an annoying hassle. I had a phone call one day in mid-December last year from my CC provider saying they were going to suspend my card immediately because of possible fraudulent activity from the BA data breach. I certainly fell into the range of at risk dates that were published, having booked around 4-5 flights with BA over that period with my card. However to be fair, I didn't notice anything erroneous appear on my card at any time.

One inconvenience was the CC provider said a replacement would take 2-3 working days but in fact it took 7-8 days (probably due to the Christmas post) so I missed out on alot of valuable points earning expenditure. The biggest inconvenience was having to re-enter the new card details to all organisations where it is stored to be able to make hotel, car park, airline (not just BA) reservations quickly. A key insurance policy covering my daughter's musical instruments that was on an auto-renew on the now cancelled card lapsed and for a few days these items were not insured, right at the time she was travelling with them so at the highest risk.

Was just all a PITA and the time that had to be taken to update all organisations with the card - but some would say time is money!