BA Breach - What Did We Really Learn?

The announcement last week that the Information Commissioner’s Office (ICO) has settled on a fine of £20m for British Airways, following its investigation into the airline’s handling of personal data, would, we imagine, create mixed feelings within the senior management of the beleaguered company. 

On the one hand it compounds what, to this point, has been nothing less than a catastrophic year for BA, and of course the wider travel industry. On the other, the fine is significantly less that the previously mooted figure of over £180m that some experts predicted. 

Aside from the headline-grabbing financial implications there were some other statistics emerging from this well publicised investigation that provided insight into the good and bad of how large corporations respond during a cyber breach. In BA’s case, there was a significant difference between the time it took to identify that a breach had occurred and their response time, once this was confirmed. It is widely acknowledged that the breach of BA systems was ‘live’ for around two months, during which time the personal data of around 429,612 customers and staff is believed to have been accessed. However, once BA became aware of the breach, the access was shut down in under 90 minutes.

This is significant and clearly shows, as is often the case in a cyber attack, that prevention is the hardest strategy to ‘get right’. Breaches are often simple, but sustained, and can often be easily stopped once the existence of a breach is known. But implementing a longer-term strategy of prevention is the most important and hardest part to create and evolve. The BA breach is yet another example that clearly demonstrates the importance of an effective incident response function - whilst highlighting how cyber strategy should not be viewed in isolated terms of ‘defence’ and ‘reaction’. Instead, a more holistic approach should be adopted, driven by a unified strategy that incorporates elements that are not mutually exclusive. The combination of strategies and tools used, if designed and implemented correctly, will work together to form a robust framework within which cyber security is designed, delivered and monitored in tandem. 

In BA’s case they clearly had the incident response function prepared, underlined by the relatively impressive hour and half it took to nullify and contain the attack. As is well documented, the speed of response to an incident has a direct correlation to the impact on business operations.  But it is also clear that BA’s ‘prevention’ approach lacked the strategic direction and tools to prevent the breach in the first instance. So, despite the impressive response once the breach was discovered, BA were still impacted significantly because of their failures in other areas – in particular, their inability to prevent or identify the breach earlier in the kill chain – not to mention adhering to their own governance policies. 

So how did this breach occur? We know the attacker gained access using the credentials of an employee from a 3rd party supplier, Swissport.  We also know that there was only single factor authentication required (username and password) with no multi factor authentication in place, not to mention any evidence of public IP or application whitelisting. Ultimately, following a detailed investigation, the ICO concluded that, under the requirements of the GDPR, BA had failed in its obligation to ‘ensure appropriate security’ (Article 5) and to ‘implement appropriate security’ (Article 32)

The impact on BA may also be far from over.  We are starting to see a rise in class action law suits where individuals join forces to bring a singular claim against organisations for breach of privacy or data loss.  Significantly, following the ruling of the Vidal-Hall case brought against Google in 2013, claimants no longer need necessarily to demonstrate financial loss in order to seek damages.  We saw this in the Morrison’s breach back in 2017.  BA are currently staring downing the barrel of a similar claim with litigation lawyers suggesting that affected parties could get as much as £2000 each; which multiplied by 400,000 potential cases could see costs to BA reach as much as £800m.  Whilst unlikely, it still has the potential to not only dwarf the initial fine estimation of £180m but, more importantly, to remain a painful thorn in BA’s side for years to come.

BA, of course, are not the first and they certainly won’t be the last, but acceptance of the inevitability of the breach should not translate into apathy about how we better protect our data and that of our customers.  In fact, when considering cyber resilience it is suggested that organisations should adopt an approach that assumes a breach will happen and work back from there, as opposed to implementing purely defensive and protective measures backed up with fingers-tightly-crossed-behind-backs.