The Information Commissioner’s Office (ICO) has handed British Airways what it claims is the biggest penalty – and the first to be made public under new rules – since the General Data Protection Regulation (GDPR) came into play last year. According to the ICO, 500,000 customers had their personal information compromised during the 2018 breach, and the airline needs to pay up – to the tune of £183 million.
BA data breach facilitated by poor website security. 1.5% of global turnover or £185M GDPR fine levied. https://t.co/Wsn22Jm65X
— Chris Wysopal (@WeldPond) July 8, 2019
According to the BBC, British Airways, owned by IAG, has said that it is “surprised and disappointed” by the penalty, following an attack by hackers who allegedly carried out a “sophisticated, malicious criminal attack” on its website. The airline first disclosed the incident on Sept. 6, 2018 and had initially reported roughly 380,000 transactions had been affected.
The ICO, which believes the attack began in June 2018, found that user traffic to BA’s website was re-routed to a fraudulent website that gave hackers the ability to steal customer information. As a result of the airline’s poor security posture, customer log in information, payment card and travel booking details, and names and addresses were compromised.
In a statement, Information Commissioner Elizabeth Denham said, “People's personal data is just that - personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience. That's why the law is clear - when you are entrusted with personal data, you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
Ensuring that your organization is in compliance with GDPR is critical for both your customers’ protection and your bottom line. To learn more about how Veracode DevOps Penetration Testing can be used to meet compliance requirements, check out this blog post.