The Information Commissioner Office (ICO) imposed a fine of £20m on British Airways (BA) for failing to protect the personal and financial details (payment card details) of more than 400,000 customers.
The ICO investigation revealed that the BA had not implemented adequate security measures and as a result, could not detect a cyber-attack, which took place in 2018 until BA was made aware of thereof by a third party two months later.
The attackers have potentially accessed:
- the personal data of approximately 429,612 customers and staff, including names, addresses, payment card numbers, and CVV numbers of 244,000 BA customers;
- The combined card and CVV numbers of 77,000 customers and card numbers only for 108,000 customers;
- Usernames and passwords of BA employee and administrator accounts;
- Usernames and PINs of up to 612 BA Executive Club accounts.
According to the ICO, addressing these security issues would have prevented the 2018 cyber-attack from being carried out in this way. As a result, the ICO issued BA with a notice of intent to fine in June 2019. The initial amount of the proposed fine was approximately £183m. However, following further representations and because of the impact of COVID-19 on BA business, the penalty was lower down to £20m.
Since the Cyber Attack happened in June 2018, before the Brexit, the ICO acted as the lead supervisory authority under the GDPR. The other EU Supervisory authorities approved the penalty and action through the cooperation process.
Circumstances of the attack
On June 22, 2018, the attacker(s) (who have not yet been identified) gained access to the BA IT system and remain undetected until September 5, 2018 when a third party informed BA of the Attack.
They first gained access to the BA network via the CAG, a tool allowing users to access a network or applications remotely and that BA uses to provide access to some of its IT applications remotely.
The attackers managed to obtain the login credentials that BA had provided to an employee of Swissport, a third-party provider. According to the ICO, the account was not protected by the use of multi-factor authentication (“MFA”) but solely via the use of a single username and password.
Hence, the attackers were able to access a set of applications available for Swissport employees, and they later managed to break out of the Citrix environment (i.e. the limited network access) into the BA wider network. BA Does not know how the Attackers managed to gain such access.
Then, they managed to access a file containing the username and password of a privileged domain administrator account stored in plain text, in a folder on the server, which potentially gives them access to anything available in the network.
Therefore, on July 26, 2018, the attackers were able to access log files, in plain text, containing payment card details for BA redemption transactions.
The investigation revealed that the storage of this information (i.e., card details + CVV numbers) was not necessary for any particular business purpose as it was a testing feature. Furthermore, according to BA, the data was stored in plain text, as opposed to in encrypted form, as a result of a human error. Even though these activities had been going on since 2015, the retention period was 95 days, and therefore, only the card details logged within the preceding 95 days were accessible. Nevertheless, 108,000 payment card details were potentially available.
The attackers were also able to identify files that contained code for the BA website and, between August 14 and August 25, 2018, they redirected customer payment card data to a different website BAways.com, a website owned and controlled by the attackers (i.e., skimming). As a result, when customers entered payment card information into the BA website, a copy was sent to the attackers at the same time without interrupting the BA booking and payment procedure.
On September 5, 2018, a third party informed BA that data was being sent from Britishairways.com to BAways.com. The BA team blocked the URL within 90 minutes.
BA implemented additional technical measures, including next-generation anti-virus and endpoint detection and response tool called Crowdstrike Falcon.
On September 6, 2018, BA notified the ICO and more than 400,000 customers.
Personal data potentially accessed by the attackers
Potentially, the attackers accessed the personal data of around 430,000 individuals, in particular :
- name address, card number, and CVV number of BA customers ( 244,000 individuals);
- card number and CVV only (77,000 individuals);
- Car number only (108,000);
- Usernames and passwords of BA employee and administrator accounts;
- Usernames and PIN of up to 612 BA executive club accounts
Following BA personal data breach notification, the ICO investigated and initially proposed a penalty of £183.39m on July 4, 2019.
Although BA provided additional representations, the Commissioner concluded that BA failed to prevent the attack and worse, failed to detect the attack.
BA failed to prevent the attack
The ICO pointed out, in particular, that:
- BA failed to live up to the security requirements regarding the initial access through its third-party provider account (i.e., supply chain attack), in particular on the ground that guidance was publicly available and BA could have implemented them (e.g., the Centre for the Protection of National Infrastructure guidance of 2015 or the one published by the National Cyber Security Council in January 2018);
- BA could have mitigated the risk of an attacker accessing the BA network by compromising a single username and password. It could have, among others, implemented MFA, external public IP address whitelisting, and IPSec VPN. Any of these options would have been appropriate in the ICO view. Therefore BA did not take into consideration the risk, the state of the art, the cost, or the available technical measures available when deciding what security measures were appropriate. Furthermore, BA should have adopted different security measures for privileged users’ accounts;
- BA did not have an up-to-date risk assessment and did not implement appropriate measures to mitigate well-known risk regarding the Citrix environment. Indeed, guidances were freely available, including from Citrix. (e.g., whitelisting, blacklisting, hardening process, etc.).
- The ICO also suggested that BA should have undertaken rigorous testing, in the form of simulating a cyber-attack, on the business’ systems.
The Authority stressed the fact that none of the suggested measures would have entailed excessive cost or technical barriers, with some available through the Microsoft Operating System used by BA.
BA failed to detect the attack
ICO investigators found that BA did not detect the attack on 22 June 2018 themselves but was alerted by a third party more than two months later on September 5.
Although BA reacted promptly, it is not clear whether or when BA would have identified the attack themselves. The ICO considers it was a severe failing because of the number of people affected and because any potential financial harm could have been more significant.
Taking into consideration the impact of COVID-19, the ICO lowered down the initial proposal and served a £20m fine on BA.
For a full reading of the decision, click here.