British Airways may have to pay a record fine of £183 million after the Information Commissioner’s Office, deemed the company had failed to sufficiently protect customers’ data against sophisticated cyber-attacks.
Richard Cornell, Information Security Manager at Altodigital, said the case highlights the importance of companies gaining the ISO 27001 accreditation for cyber security. “British Airways is being punished for the data breach which happened simply because it lost control of its supply chain,” he said.
“A number of third-party suppliers were supporting BA’s website and one of them was compromised, and nobody spotted it.”
Cornell said this highlights the importance of doing everything possible to protect customers’ data to prevent attacks and breaches. “Managing the supply chain correctly is vital to ensure everyone in it is doing everything possible to prevent cyber-attacks. If your suppliers have the ISO 27001 they are far more likely to be in control of what they are doing and minimise data breaches. ISO 27001 is a marker to show companies are taking every precaution they can to prevent the malicious and damaging attacks by cyber criminals.”
Alex Bransome, Virtual Cyber Information Security Officer at Doherty Associates, believes British Airways could have done more to keep the front end of their data network secure. “According to the ICO report, there were major weaknesses at the front end of British Airways’ data network via its website which is surprising given this is where all business critical data on customers is processed.
“It was a very well planned and targeted attack which allowed cyber criminals to skim off customer data and credit card details. BA should have been doing more to monitor, test and update their security systems to ensure there were no gaps in their cyber defence that hackers could take advantage of.
“Commonly organisations make the mistake of deploying security systems and then leaving them but this record £183 million fine is a warning shot that the ICO is serious about fining anyone breaching GDPR regulations. To keep the front door secure and personal data protected at all times, companies must regularly run security checks and update their security systems to ensure any vulnerabilities are identified and patched so no gaps are left for cyber criminals to exploit. If not, they are leaving their customers’ data exposed, risking a GDPR compliance breach and major reputation damage,” he warned.