What can we learn from British Airways’ data breach and £20m fine?

  Angelique   |   22nd October 2020 - 5 min read

Data Protection | Insurance

It’s been two years since British Airways suffered cyber-attack where personal and credit card data was compromised. A year ago, the airline industry and commentators were stunned when the Information Commissioner (ICO) announced it would slap a £183 million fine on the airline. But fast forward 2020 that fine was whittled down to £20 million.The reason why it had been reduced was because the ICO had considered both BA’s representations as well as the economic impact of Covid-19 on their business. Still, it’s a hefty amount and if it hadn’t been for the coronavirus pandemic, it would’ve been a lot higher.Information Commissioner Elizabeth Denham said: “Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20m fine – our biggest to date.“When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.”

How did it happen?

This data breach occurred a while ago so we’re happy to give you a recap. Back in 2018 a cyber attacker is believed to have potentially accessed the personal data of 429,612 customers and staff. Personal data such as names, addresses, payment card numbers and CVV numbers of 244,000 BA customers had been compromised.But that’s not all. Other details that were exposed included combined card and CVV numbers of 77,000 customers and card numbers of 108,000 customers. User names and passwords of BA employee, administrator accounts and BA Executive Club accounts were also potentially hacked.You can only imagine the stress and financial damage this caused to those affected. Of course, BA suffered reputational damage as a result of it and now of course has lost £20 million in the process.

So, what could BA have done differently?

According to the ICO, there were numerous actions that BA could’ve taken to mitigate or prevent the risk of such an attack on its BA network. It says BA could’ve:
  • Limited access to applications, data and tools to only that which are required to fulfil a user’s role
  • Undertook rigorous testing on the business’ systems and conducted a simulation of a cyber-attack
  • Protected employee and third-party accounts with multi-factor authentication.
But what about the cost of all of this you say? Well, according to the ICO this should’ve been no excuse. They claim that none of these measures would’ve entailed a significant cost and that there were also no major technical barriers to employing them as they were already available through the Microsoft Operating System used by the airline. It has to be said, of course, that BA have now made considerable improvements to their IT.

How can SchemeServe help my business?

At SchemeServe we take data protection very seriously. We comply with all the many and varied General Data Protection Regulations (GDPR).Cyber criminals always find new and ingenious ways of getting what they want, so it’s important for us to adapt as well. Given the nature of the data that we process and the volume of data we have from our clients, we continuously review, improve, and update. We do this so we can keep up to date with software and technology out there that could be used for hacking.Hacking is a real threat to any business not just large corporates like BA. Last year a report by Lloyds of London warned that several industry sectors are vulnerable to a co-ordinated and vicious cyber-attack that would cause catastrophic losses and run into the billions financially.We have yet to see a cyber-attack of this magnitude. But it is possible – given how interconnected we all are. Of course, we’re all hoping that this type of coordinated attack never happens. But what if it does?The only thing businesses can do is put the right kinds of protection in place. If you’re concerned that you’re not protecting your data enough then contact us! This is our passion and we’re only too happy to see how we can help.

Further reading:

History in the making! Meet our new data protection officer – James DixImage by Johan Widén from Pixabay 

Ready to make the next step?

Get in contact and let us show you how you can accelerate your insurance business with SchemeServe