The message is clear. Today you have to treat your customers’ data with the utmost care and privacy! If something unexpectedly goes wrong – be prepared to pay the price

Last year, the Information Commissioner’s Office (ICO) fined Facebook $626,000 over the Cambridge Analytica scandal. It was a record at the time, based on the maximum fine allowed before GDPR came into force, seriously shaking things up in the data privacy section. Just one year later, and British Airways – “the world’s favourite airline” – faces a record $230million fine after a website failure compromised the personal details of 500,000 customers. The sum is equivalent to 1.5% of the company’s annual turnover.

The ICO acknowledged that it was the biggest penalty it has handed out, and the first to be made public under the new rules.The incident happened in June 2018. Users booking flights through the British Airways (BA) app or website were directed, for three months, to a fake website that proceeded to steal their personal details. The ICO confirmed that the hackers – a group called Magecart – managed to access the information of the half a million users thanks to a vulnerability in third-party Javascript used on the website.

Magecart had secreted 22 lines of code that diverted crucial details around payments to a separate website controlled by the criminals. Interestingly, Andrew Dwyer, a cybersecurity researcher at the University of Oxford, noted that a simple fix could have actually prevented these problems for BA altogether.

The third-party piece of Javascript, called Modernizr, sent data to – a similar sounding website to the official BA site. However, as BA was familiar with Modernizr’s vulnerability for quite some time, the problem could have been solved before it even existed. 

Dwyer explained that, “As a singular error it could be seen as fairly trivial – as it was one script that was compromised and used to exfiltrate data. However, that it was not found for so long and that script had not been updated suggests a more systemic issue of IT governance at BA – meaning it is unlikely this is an isolated vulnerability. Effective monitoring would have picked this up quickly – not the three months it took BA. Even today, its payment page still gives access to third-party scripts and does not add sufficient protections that would necessarily be expected to keep payment segmented from potential access from these third parties.”

After the incident, BA confirmed that the stolen data did not include travel or passport details. However, it did include names, email addresses, credit card information – including credit card numbers, expiry dates and the three-digit CVV codes, as well as login and booking details.

Information Commissioner Elizabeth Denham commented on the incident,  “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

Since the ICO’s findings, British Airways has improved its web security. However, the company refuses to take unconditional responsibility for the breach. Alex Cruz, Chair and Chief Executive of BA commented on ICO’s decision in a statement, saying that, “We are surprised and disappointed in this initial finding from the ICO. British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologise to our customers for any inconvenience this event caused.”

Willie Walsh, the CEO of BA’s parent company International Airlines Group (IAG), said that “British Airways will be making representations to the ICO in relation to the proposed fine. We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals.”

Rowenna Fielding, Senior Data Protection Lead at data protection consultants company Protecture, said that the main reason the ICO’s intended fine is so big is due to the number of people whose information was stolen, as well as the impact of the breach on those people.However, it is important to note that nothing is final yet. Every penalty involves a notice of intent, and the organisation has the right to make representations. Fielding also thinks that the ICO’s announcement is not a declaration that it will be fining BA the full amount; rather, it is a “notice of intention” that it would like to fine the company $230 million, but this is far from a done deal yet.

Perhaps the worst thing about the BA’s position when it comes to the people affected, is the fact that it blames unspecified criminals for the hack, choosing not to take real actions themselves.

The ICO, on the other hand, had long warned that it would start imposing much larger fines after the introduction of the new GDPR rules. And this is exactly why it has been given the power to impose such huge fines: to force companies to take action to prevent such hacks, rather than simply apologising for any “inconveniences” when they do.