The announcement last week that the Information Commissioner’s Office (ICO) has settled on a fine of £20m for British Airways, following its investigation into the airline’s handling of personal data, would, we imagine, create mixed feelings within the senior management of the beleaguered company.
On the one
hand it compounds what, to this point, has been nothing less than a
catastrophic year for BA, and of course the wider travel industry. On the other,
the fine is significantly less that the previously mooted figure of over £180m
that some experts predicted.
Aside from
the headline-grabbing financial implications there were some other statistics
emerging from this well publicised investigation that provided insight into the
good and bad of how large corporations respond during a cyber breach. In BA’s
case, there was a significant difference between the time it took to identify that
a breach had occurred and their response time, once this was confirmed. It is
widely acknowledged that the breach of BA systems was ‘live’ for around two
months, during which time the personal data of around 429,612 customers and
staff is believed to have been accessed. However, once BA became aware of the
breach, the access was shut down in under 90 minutes.
This is
significant and clearly shows, as is often the case in a cyber attack, that prevention
is the hardest strategy to ‘get right’. Breaches are often simple, but
sustained, and can often be easily stopped once the existence of a breach is
known. But implementing a longer-term strategy of prevention is the most
important and hardest part to create and evolve. The BA breach is yet another
example that clearly demonstrates the importance of an effective incident
response function - whilst highlighting how cyber strategy should not be viewed
in isolated terms of ‘defence’ and ‘reaction’. Instead, a more holistic approach
should be adopted, driven by a unified strategy that incorporates elements that
are not mutually exclusive. The combination of strategies and tools used, if
designed and implemented correctly, will work together to form a robust
framework within which cyber security is designed, delivered and monitored in
tandem.
In BA’s
case they clearly had the incident response function prepared, underlined by the
relatively impressive hour and half it took to nullify and contain the attack. As
is well documented, the speed of response to an incident has a direct
correlation to the impact on business operations. But it is also clear that BA’s ‘prevention’ approach
lacked the strategic direction and tools to prevent the breach in the first
instance. So, despite the impressive response once the breach was discovered,
BA were still impacted significantly because of their failures in other areas –
in particular, their inability to prevent or identify the breach earlier in the
kill chain – not to mention adhering to their own governance policies.
So how did
this breach occur? We know the attacker gained access using the credentials of
an employee from a 3rd party supplier, Swissport. We also know that there was only single
factor authentication required (username and password) with no multi factor
authentication in place, not to mention any evidence of public IP or
application whitelisting. Ultimately, following a detailed investigation, the
ICO concluded that, under the requirements of the GDPR, BA had failed in its
obligation to ‘ensure appropriate security’ (Article 5) and to ‘implement
appropriate security’ (Article 32)
The impact on
BA may also be far from over. We are
starting to see a rise in class action law suits where individuals join forces
to bring a singular claim against organisations for breach of privacy or data
loss. Significantly, following the
ruling of the Vidal-Hall case brought against Google in 2013, claimants no
longer need necessarily to demonstrate financial loss in order to seek
damages. We saw this in the Morrison’s
breach back in 2017. BA are currently
staring downing the barrel of a similar claim with litigation lawyers
suggesting that affected parties could get as much as £2000 each; which multiplied
by 400,000 potential cases could see costs to BA reach as much as £800m. Whilst unlikely, it still has the potential
to not only dwarf the initial fine estimation of £180m but, more importantly,
to remain a painful thorn in BA’s side for years to come.
BA, of
course, are not the first and they certainly won’t be the last, but acceptance
of the inevitability of the breach should not translate into apathy about how
we better protect our data and that of our customers. In fact, when considering cyber resilience it
is suggested that organisations should adopt an approach that assumes a breach will
happen and work back from there, as opposed to implementing purely defensive
and protective measures backed up with fingers-tightly-crossed-behind-backs.