$230m fine proposed as penalty to British Airways from the Information Commissioner’s Office for the data breach that is believed to have affected thousands of their customers between April and June 2018. The breach was disclosed in September.
Why It Happened ?
This attack involved user traffic from British Airways website being diverted to a fraudulent site, where personal details of approx. 500,000 customers were stolen by attackers.
British Airways mentioned hackers managed to breach the website and their app for stealing data from their customers. British Airways hasn’t revealed any technical detail of the breach, we have some suggestive methods from cybersecurity experts.
“They very carefully worded the statement to say anybody who made a card payment between those two dates is at risk,” says Prof Woodward.
“It looks very much like the details were nabbed at the point of entry – someone managed to get a script on to the website.”
It is possible there was a third party code on the BA website and as customers entered their card details, these details were nabbed and sent to another place or person. Prof Woodward mentioned it’s known as a supply chain attack
How Could It Be Prevented ?
The cyber privacy law is becoming more strict with multiple past breaches exposing sensitive PII. It is necessary to keep track of and monitor your assets. Here are a few preventive steps :
- Implement GDPR compliance policies and procedures and get it audited by a trust worthy security entity
- Have a good cyber security training and awareness program implemented to have your employees aware of the security challenges and misuse
- Scan your digital attack footprint, keep a complete log of your assets, monitor and secure them
- Frequent (periodic) vulnerability assessment and penetration testing of your organization’s digital assets is necessary
- Breaches are unavoidable. A proper incident response program that ensures your customer’s sensitive data is not harmed and reduces business down time is a win-win