16 Jul 2019

As the Information Commissioner’s Office (ICO) prepares to levy a record £183m fine on British Airways (BA) for a data breach affecting around 500,000 customers, we take a look at what went wrong and how you can interpret the General Data Protection Regulation (GDPR)’s ‘security principle’.

It’s important to note that the ICO’s announcement is not a declaration that it will be fining BA the full amount of the £183 million. Rather, it’s a “notice of intention” – that this is the amount the ICO intends to fine. BA will, however, have the opportunity to challenge or provide mitigating information.

The breach

In September 2018, BA notified the ICO that it had suffered a breach of customer data from its website and mobile app. The compromised data included customers’ full names, email addresses and financial details (such as card numbers, their expiry dates and CVV numbers).

The ICO has said very little about the cause of the breach, other than that it involved ‘user traffic to the BA website being diverted to a fraudulent site’.

We understand from cybersecurity firm RiskIQ that the breach involved hackers gaining access to BA’s website and subtly modifying the underlying code to place the online equivalent of a credit card skimmer on certain pages. Any customer information typed into an affected webpage was logged and sent directly to a server operated by the hackers, before it had been collected and stored by BA.

The skimming function ran silently in the background, with customers seeing no obvious signs that their data was being collected by anyone other than BA.

The ‘security principle’

The Data Protection Act 1998 outlined a requirement for organisations to use ‘appropriate technical and organisational measures’ to ensure its security is appropriate to the level of risk it faces. This has continued under Article 32 of the GDPR, where it is known as the ‘security’ principle. The ICO has recently published significant guidance on this area on its website, which can be found here.

Crucially, the ICO says that ‘every aspect’ of data processing is covered by the security requirement. This all-encompassing approach means that attention must be put not only on the security requirements of data once it has already been collected, but to all other areas of your business as well, including physical, system, device and website security.

The hackers placing the illicit code onto the BA website needed access to its servers – this could have been via physical access to a computer belonging to a website developer, or they could have gained access to the website by breaching a simple login procedure.

Practical steps to try and avoid a similar incident

We have identified a couple of methods which, when included within a wider security plan, could help avoid a repeat of this type of breach and ensure your organisation can meet the ICO’s all-encompassing requirement for data security.

  • Ensuring secure access for employees in all areas of the business, not just those responsible for maintaining the customer database. Any outsourced staff responsible for products, such as a customer-facing website, should also be subject to rigorous security controls.
  • Frequent auditing of technical code – the illicit code used in the BA breach was just 22 lines long. Very few people without precise technical knowledge would have been able to spot the code and understand that it should not have been there – indeed it took more than 2 weeks for BA to do this, which suggests a more systemic issue of IT governance, rather than an isolated vulnerability. Larger companies should conduct regular, independent, reviews of its code to ensure it performs only the functions intended of it.

How we can help

If you need help understanding the requirements of the GDPR or implementing data systems which comply with data protection legislation, we would be happy to help. Please get in touch with our data and privacy team.