BA Breach - What Did We Really Learn?

The announcement last week that the Information Commissioner’s Office (ICO) has settled on a fine of £20m for British Airways, following its investigation into the airline’s handling of personal data, would, we imagine, create mixed feelings within the senior management of the beleaguered company.

On the one hand it compounds what, to this point, has been nothing less than a catastrophic year for BA, and of course the wider travel industry. On the other, the fine is significantly less that the previously mooted figure of over £180m that some experts predicted.

Aside from the headline-grabbing financial implications there were some other statistics emerging from this well publicised investigation that provided insight into the good and bad of how large corporations respond during a cyber breach. In BA’s case, there was a significant difference between the time it took to identify that a breach had occurred and their response time, once this was confirmed. It is widely acknowledged that the breach of BA systems was ‘live’ for around two months, during which time the personal data of around 429,612 customers and staff is believed to have been accessed. However, once BA became aware of the breach, the access was shut down in under 90 minutes.

This is significant and clearly shows, as is often the case in a cyber attack, that prevention is the hardest strategy to ‘get right’. Breaches are often simple, but sustained, and can often be easily stopped once the existence of a breach is known. But implementing a longer-term strategy of prevention is the most important and hardest part to create and evolve. The BA breach is yet another example that clearly demonstrates the importance of an effective incident response function - whilst highlighting how cyber strategy should not be viewed in isolated terms of ‘defence’ and ‘reaction’. Instead, a more holistic approach should be adopted, driven by a unified strategy that incorporates elements that are not mutually exclusive. The combination of strategies and tools used, if designed and implemented correctly, will work together to form a robust framework within which cyber security is designed, delivered and monitored in tandem.

In BA’s case they clearly had the incident response function prepared, underlined by the relatively impressive hour and half it took to nullify and contain the attack. As is well documented, the speed of response to an incident has a direct correlation to the impact on business operations. But it is also clear that BA’s ‘prevention’ approach lacked the strategic direction and tools to prevent the breach in the first instance. So, despite the impressive response once the breach was discovered, BA were still impacted significantly because of their failures in other areas – in particular, their inability to prevent or identify the breach earlier in the kill chain – not to mention adhering to their own governance policies.

So how did this breach occur? We know the attacker gained access using the credentials of an employee from a 3^rd party supplier, Swissport. We also know that there was only single factor authentication required (username and password) with no multi factor authentication in place, not to mention any evidence of public IP or application whitelisting. Ultimately, following a detailed investigation, the ICO concluded that, under the requirements of the GDPR, BA had failed in its obligation to ‘ensure appropriate security’ (Article 5) and to ‘implement appropriate security’ (Article 32)

The impact on BA may also be far from over. We are starting to see a rise in class action law suits where individuals join forces to bring a singular claim against organisations for breach of privacy or data loss. Significantly, following the ruling of the Vidal-Hall case brought against Google in 2013, claimants no longer need necessarily to demonstrate financial loss in order to seek damages. We saw this in the Morrison’s breach back in 2017. BA are currently staring downing the barrel of a similar claim with litigation lawyers suggesting that affected parties could get as much as £2000 each; which multiplied by 400,000 potential cases could see costs to BA reach as much as £800m. Whilst unlikely, it still has the potential to not only dwarf the initial fine estimation of £180m but, more importantly, to remain a painful thorn in BA’s side for years to come.

BA, of course, are not the first and they certainly won’t be the last, but acceptance of the inevitability of the breach should not translate into apathy about how we better protect our data and that of our customers. In fact, when considering cyber resilience it is suggested that organisations should adopt an approach that assumes a breach will happen and work back from there, as opposed to implementing purely defensive and protective measures backed up with fingers-tightly-crossed-behind-backs.

ABOUT US

Recruited from the UK Intelligence and Security Services, our people offer a unique insight into global cyber risks coupled with the knowledge and tools to effectively deal with and mitigate threats.

We understand that every situation is unique, including the impact it can have on individuals and organisations. Whether you are dealing with an incident in progress or simply need to turn to someone for confidential advice, contact us for a no-obligation conversation.

SOME OF OUR SPECIALISTS

Jake Hockley

CEO
James Tamblin

CTO
John Downham

Penetration Testing Director
Lewis Anderton

Consultant

Jake is a cyber investigations professional with extensive experience of working with government and private clients at the highest level. He began his career working for the UK Government against threats to National security before founding Marclay and using his expertise to assist commercial clients. Jake is the company CEO and works closely with senior legal contacts in the UK and abroad.
James is former military intelligence officer with experience of leadership in technical defensive environments. He is an expert in risk and security with a background in management and crisis response across several security disciplines. Since leaving the military he has worked in advisory roles in the security and intelligence sector - delivering projects for global banks, consumer businesses, multinational technology giants and family offices across Europe, the Middle East and the Americas.
John is a cyber security specialist who began his career working for the Ministry of Defence in the area of information exploitation. He progressed to work for the UK government conducting penetration testing at specialist and sensitive sites throughout the UK. Using his extensive expertise, John now leads the technical department at Marclay, delivering security audits, security testing, penetration testing and intelligence gathering.
Lewis is a cyber security investigator specialising in digital forensics, data recovery and preservation of legal evidence. After a successful career in the Royal Air Force and the Metropolitan Police as an Intelligence Analyst, Lewis uses his experience and knowledge to handle the most complex cases – presenting information and options to a variety of stakeholders. His experience in a variety of sensitive environments enables Lewis to provide timely, practical and actionable advice in a crisis situation.

CONSULTANCY SERVICES

We are there when you need us. With the expertise and gravitas to handle the most challenging technical and political situations, we can help you eliminate threats and restore confidence. As a trusted advisor, we provide clarity and assurance for your key stakeholders.

Issues our Crisis response team typically deal with:
- Internal and external cyber attacks
- Data breaches
- Digital extortion
- Social media attacks and reputation harm
- Advisory services
The chances are that whatever situation you’re facing, we’ve dealt with it before.

Simply contact us for a no-obligation conversation to discuss options.
Our Cyber Investigations capability is unrivalled. Conducted by security vetted consultants with UK Government and Police backgrounds, we use a variety of tools and techniques to uncover the truth.

Whether you need to quickly gather intelligence, or you require evidential-standard investigations, we can provide a responsive and dependable service.

Examples of investigative activity:
- Post-incident investigations to establish cause, extent of breach and to advise on mitigation
- Digital forensics and discovery of key data from devices and storage media to support legal cases or investigations
- Cloud forensics
- Establishing the identity of hostile parties
- Assisting law enforcement and judicial agencies with intelligence
Threats can materialise in a variety of ways – often unanticipated and from unknown sources.

With our Threat Management and Alerting services, we provide unique insights into your global systems using artificial intelligence - identifying threats in real-time rather than after the event.

We monitor a variety of sources for threat intelligence including the public Internet, internal networks, social media, and the dark web.

Simply contact us for a confidential, no-obligation discussion.
We offer a variety of services to provide reassurance or highlight vulnerabilities that need to be addressed. From network-level assurance to application-specific testing of servers and systems, we will tailor a service to your needs.
- Network | Cloud Infrastructure and Application testing
- Phishing Excercises
- Vulnerability Analysis and Monitoring
- Social Engineering and Physical Penetration Testing
- Open Source Intelligence Discovery - What are you exposing to the internet?
Simply contact us for a confidential, no-obligation discussion.
Whether you are seeking assurance or need to address known problems, our Cyber Security Audits will provide the information you require and advise on areas for improvement.

As your trusted advisors, our pragmatic approach is tailored to your organisation’s operating environment and can be aligned to global standards such as ISO27001 and SOC2.

Simply contact us for a confidential, no-obligation discussion.
Our advisory and support services have proved invaluable to many global, high-profile organisations.

To augment your team on an ongoing basis, we offer a Virtual or Outsourced Information Security Officer (ISO). Whether you need the assurance of having someone to turn to for advice or need a fully embedded ISO to enable a transformation programme – we can help.

Simply contact us for a confidential, no-obligation discussion.

SECURE MANAGED COMMUNICATIONS

Designed by Cyber Security Specialists who were active members of the UK Military and Intelligence Services, Marclay One™ is a secure communications platform that provides everything needed to conduct business in a private, secure environment with the highest levels of discretion. The system is particularly suitable for high-risk and high-profile teams where elevated levels of privacy and protection are required.

Marclay One™ can be rapidly deployed globally and is backed up by a security-vetted team providing world-class service, support and advice.

For more information on Marclay One™

CLICK HERE