ICO Issues A Record Fine for BA

10th July 2019

The ICO has issued a notice of its intention to fine British Airways £183.39M for failing to comply to the General Data Protection Regulation (GDPR).

The financial penalty is so far the heaviest fine handed out by the ICO since the GDPR came into force.

Data exposed in the breach comprised of customer names, email addresses, payment card information, credit card numbers, expiry dates and credit card security codes.

However, BA has said that CVV numbers had not been stored, which indicates that the details were taken at the point of entry. As customers typed in their credit card details, a piece of malicious code on the BA website or app may have been harvesting those details and sending them to someone else.

Ticketmaster suffered a similar attack in June 2018, where a third party chatbot was hacked into. Hackers exploited this code and were able to extract customer payment information directly from the Ticketmaster website.

Third parties may supply code to run payment authorisation, present ads or allow users to log into external services, for example. This is an increasing problem for websites that embed code from third-party suppliers – it’s known as a supply chain attack.

Organisations put a lot of confidence into third party services. But in an age when the breached organisation is made fully accountable, how does a supplier provide assurance that their supplier continually strives to protect their service and ultimately your reputation. But also, should those organisations contracting with a third party be taking more care, not only during a third-party selection process, but throughout the duration of the contract?

Prof Woodward, a cyber security researcher added that private firms using third party code on their websites and apps must continually vet such products, to ensure weak points in security don’t emerge.

“You can put the strongest lock you like on the front door,” he said, “but if the builders have left a ladder up to a window, where do you think the burglars will go?”

How can you prove integrity and reliability?

Information Commissioner Elizabeth Denham said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience.

“That’s why the law is clear – when you are entrusted with personal data you must look after it.

“Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

So, how do organisations ensure that they are protecting their customers’ fundamental data privacy rights when they use a number of third parties? How can organisations carry out an audit on their supply chain, without massively adding to their current workload?

Confidently Audit and Measure your Supply Chain Risks

RiskView actively scans for risks within your business, locating information and GDPR risks from within your business and right throughout your supply chain. Providing alerts when a risk has been identified and delivering automated reports for updates on how and if the supply chain is adhering to agreed security protocols.

RiskView can regularly audit their information risk and produces a confidence score for organisations to be able to securely use third party services as part of their own.

The message is clear – if you don’t take fundamental steps to protect your customers’ data expect severe punishment when things go wrong.

View More Articles