Call us today on: +44 (0)203 88 020 88
SecureTeamSecureTeamSecureTeamSecureTeam
  • Home
  • Our Services
    • Infrastructure Testing
      • Internal Network Penetration Test
      • External Network Penetration Test
      • Wireless Network Penetration Test
      • Vulnerability Assessment
      • Network Segregation Test
      • Voice over IP (VoIP) Penetration Test
    • Application Testing
      • Web Application Penetration Test
      • Mobile Application Penetration Test
      • Desktop Application Security Assessment
      • Citrix Breakout Test
    • Configuration Review
      • Windows Server Build Review
      • Linux Server Build Review
      • Citrix Configuration Review
    • Information Assurance
      • ISO 27001 Gap Analysis
    • Cyber Essentials
  • News
  • Articles
  • About
    • About SecureTeam
    • STORM Appliances
      • Installing a STORM Device
      • Returning a STORM Device
    • White-Label Consultancy
    • Jobs
    • Cookie Policy
    • Quality Policy
    • Security Policy
    • Privacy Notice
    • Website Terms & Conditions
  • Contact Us

News

Home  >  News  >  BA record £183m fine for data breach
NextPrevious

BA record £183m fine for data breach

News | 12 July, 2019 | 0

The record fine of £183,000,000 for a UK data breach signals a new era for the economics of information security.

The first fine issued by the UK’s Information Commissioners Office (ICO) under the GDPR regime is 367 times higher than the previous maximum fine levied against Facebook in the aftermath of the Cambridge Analytica scandal.

The fine relates to a breach of the British Airways website and mobile app which saw the payment card and personal details of over 380,000 people stolen during a 15 day period starting August 21st2018.

While BA has remained tight-lipped about how the breach happened, security research firm RiskIQ has published a detailed analysis which points the finger at the Magecart criminal gang.  According to the researchers, the criminals were able to insert a modified version of a standard Javascript library containing just 22 additional lines of code which then skimmed the payment card details in a formjacking  attack and sent the payment card and personal data to a server controlled by the criminals.

Alex Cruz, the chairman and CEO of British Airways, said he was “surprised and disappointed in this initial finding from the ICO. British Airways responded quickly to a criminal act to steal customers’ data.”

The response from BA’s CEO is revealing – his focus was not that a breach happened, but that he says the firm handled the management of the data breach well.

In contrast, Information Commissioner Elizabeth Denham said:

“…the law is clear – when you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

For many business leaders, it often looks cheaper to write a response plan to handle a data breach that they believe is unlikely to ever happen than it is to definitely spend a lot of money on equipment and staff to ensure a breach does not happen in the first place. The ICO’s comments make it clear that in the world of GDPR that cynical logic no longer holds true.  With the scale of fines available under GDPR being up to 4% of global turnover, regulators appear keen to send a message to businesses that it is going to be much more economical to prevent a data breach than it is to clean up after one happens and face huge fines.

The half million pound fine issued to Facebook after the Cambridge Analytica scandal was seen by many as being so low as to not affect corporate behaviour in any way – it was merely a cost of doing business. In the wake of the BA fine, it is now becoming clear that for many businesses it will make much more commercial sense to invest in their information security and be able to clearly demonstrate that they did all they could to prevent a data breach.

Many Information Security managers may well find it easier to gain boardroom support for their request for budget as the implications of the new regulatory regime sink in.

 

Subscribe to our monthly cybersecurity newsletter
Stay up-to-date with the very latest cybersecurity news & technical articles delivered straight to your inbox
We hate spam as much as you do. We will never give your email address out to any third-party.
cyber security news, formjacking, GDPR, Magecart, security breach

Related Post

  • ZuoRAT Malware Targets Home-Office Routers

    By Mark Faithfull

    A multistage remote access trojan (RAT), known as ZuoRAT,  has been specifically developed to attack small office/home office (SOHO) routers. These devices have been more frequently used for work since the increase in home-working inRead more

  • Microsoft Patches Linux Cluster Bug

    By Mark Faithfull

    The Microsoft Security Response Centre released a blog post this week about a Service Fabric (SF) Linux Cluster vulnerability. This bug has been identified on both Linux and Windows operating systems, however Microsoft claims only LinuxRead more

  • Vulnerability reported on QNAP NAS Devices

    By Mark Faithfull

    A Security Advisory was published by QNAP on Wednesday to advise their customers of the status of Remote Code Execution vulnerability that affects many of their products. The vulnerability is in the versions of PHPRead more

  • Cisco Small Business Routers Vulnerable to Attack

    By Mark Faithfull

    A zero-day vulnerability with a critical 9.8/10 severity rating has been identified in four Cisco Small Business RV Series Routers. These vulnerable products are RV110W Wireless-N VPN Firewall, RV130 VPN Router, RV130W Wireless-N Multifunction VPNRead more

  • Firefox Implements Total Cookie Protection by Default

    By Mark Faithfull

     Total Cookie Protection is a privacy feature that has been introduced by Mozilla over the past few years into different Firefox settings. As of this week, Total Cookie Protection has been rolled out globally toRead more

NextPrevious

Recent Posts

  • ZuoRAT Malware Targets Home-Office Routers
  • Microsoft Patches Linux Cluster Bug
  • Log4Shell (still) actively exploited on VMware Systems
  • Vulnerability reported on QNAP NAS Devices
  • How the Phone-Wiping Banking Trojan BRATA is Becoming a More Advanced Threat

Recent Comments

    Archives

    • June 2022
    • May 2022
    • April 2022
    • March 2022
    • February 2022
    • January 2022
    • December 2021
    • November 2021
    • October 2021
    • September 2021
    • August 2021
    • July 2021
    • June 2021
    • May 2021
    • April 2021
    • March 2021
    • February 2021
    • January 2021
    • December 2020
    • November 2020
    • October 2020
    • September 2020
    • August 2020
    • July 2020
    • June 2020
    • April 2020
    • March 2020
    • February 2020
    • January 2020
    • December 2019
    • November 2019
    • October 2019
    • September 2019
    • August 2019
    • July 2019
    • June 2019
    • May 2019
    • April 2019
    • March 2019
    • February 2019
    • January 2019
    • December 2018
    • November 2018
    • July 2018
    • June 2018
    • April 2018
    • January 2018
    • October 2017
    BCS Cyber Essentials Cyber Essentials Cyber Essentials PLUS ISO 9001 ISO 27001
    information. secured.
    • Home
    • Our Services
      • Infrastructure Testing
        • Internal Network Penetration Test
        • External Network Penetration Test
        • Wireless Network Penetration Test
        • Vulnerability Assessment
        • Network Segregation Test
        • Voice over IP (VoIP) Penetration Test
      • Application Testing
        • Web Application Penetration Test
        • Mobile Application Penetration Test
        • Desktop Application Security Assessment
        • Citrix Breakout Test
      • Configuration Review
        • Windows Server Build Review
        • Linux Server Build Review
        • Citrix Configuration Review
      • Information Assurance
        • ISO 27001 Gap Analysis
      • Cyber Essentials
    • News
    • Articles
    • About
      • About SecureTeam
      • STORM Appliances
        • Installing a STORM Device
        • Returning a STORM Device
      • White-Label Consultancy
      • Jobs
      • Cookie Policy
      • Quality Policy
      • Security Policy
      • Privacy Notice
      • Website Terms & Conditions
    • Contact Us
    SecureTeam