In June 2018, British Airways was hacked; criminals stole personal and financial information from 500,000 of its customers. Now, just over a year later, the consequences of this breach are becoming clear.
While BA described the attack as being “very sophisticated”, the ICO has found that information was “compromised by poor security arrangements”. The result? The ICO issued its highest proposed fine under the Data Protection Act 2018. This penalty reflects 1.5% of BA’s 2017 global annual turnover amounting to £183.4 million.
More than a slap on the wrist
Despite being the highest penalty issued by the ICO to date, it could have been worse. The ICO has taken the global annual turnover option over the €20 million, and the fine is still well below the 4% available to them. The ICO has not imposed the highest fine, much like the CNIL did with issuing Google its €50 million fine.
BA has unsurprisingly stated it will be appealing the penalty and has 28 days to do so. The ICO will hear representations from BA before its final decision.
Everyone is paying attention now
While customers have not suffered any monetary loss (just the inconvenience of cancelling their cards) the intended penalty should make organisations sit up and take notice. Data protection is not just a ‘tick box’ exercise and effective measures must be taken to safeguard the information organisations are entrusted with.
So what should organisations do?
Test, test, improve
For one, they should schedule regular penetration tests, multiple times a year. Many organisations make the mistake of concentrating on certain departments leaving the rest un-tested. As a result, penetration testing should take place across the entire business.
Another good prevention method is to have regular user awareness training in terms of phishing and such attempts. While employees are often seen as the weakest link in the chain, they can also be the biggest advocates of cyber security. Organisations should make employees aware of the types of attacks and how to spot and report them, which will help protect the organisation.
In terms of future proofing, red teaming should be considered as this acts as a simulation of what a real attacker would or could do. This will then complement regular penetration tests and demonstrate that an organisation is taking data protection seriously and protecting the personal data they process.
Avoiding the consequences
With so many variables to consider, organisations must ensure they’re doing all they can to mitigate risk and protect themselves. It’s not just their reputation on the line or damage to customer trust; this latest fine from the ICO demonstrates just how much businesses stand to lose as a result of non-compliance.
If you wish to receive any further information on any of Bridewell’s services, please call the team on 01189 255 084.
Written by Becky Nicholson