British Aiways massive data breach fine and why it is a hard but important lesson
British Airways was fined £183M by the UK Information Comissioners Office. This is a massive fine and if I worked for BA, I would certainly be annoyed but this is the whole point of fines for GDPR incursions. As a company, you have a legal responsibility - period - for the data that you collect. A number of errors were made by BA which led to the attack.
The truth is, a company should not make the kinds of excuses that BA (and plenty of others) have made.
"It was sophisticated". So? In most cases, hacks of this level are not a 5 minute job but then a jeweller wouldn't justify a burglary because picking a lock was "sophisticated", it is a known risk and something that a jeweller would mitigate against (they put expensive things in a vault). The truth was, scripts were injected into a page and there are a number of steps that could have prevented this from working correctly, including Content Security Policy - particularly but which were probably not implemented because, in most cases, marketing get the ability to force their scripted crap into loads of pages. Even if they want the marketing scripts, all you have to do is have a secure area of the site which is prohibited from having tracking scripts and simply takes cardholder data.
"We cooperated with the investigation". So? If you didn't, you should have been locked up. This is no excuse and no real mitigation in my opinion. You almost certainly co-operated to get the full support of the UK government in the investigation rather than it was just the right thing to do.
"It is a massive fine". Yes it is and until we have people with the teeth to implement painful punishment, nothing will change. Why would it? I remember when driving without car insurance had a maximum fine of £500. My first years car insurance cost me £835 so you might imagine that insurance was not really necessary from a numbers point of view. The reality is that companies do indeed take security or risk decisions based on money alone, and it kind of makes sense: Do we spend £100M on this security system or risk the £5M fine if it all breaks? Now that the balance is moving towards "do something" rather than don't, we might have some more motivation.
That is not to say the scenario is not without problems. The truth is there is a massive lack of genuine or verifiable skills in the security industry. In some cases, there is not even a concensus on basics like the best password hashing algorithms or which security appliances touted by the industry are worth it and which are not.
I heard about an organisation that spent £5M on a security application firewall but couldn't maintain it to a suitable level so they simply switched it off! Too much security noise is also not helpful.
I still really want the industry to grow up and start tying together the various credentials and certifications together a bit like law or medicine, so that these things start to mean something. We can then appraise the industry as a whole and measure whether the training and certification needs improving/changing etc.
The truth is, a company should not make the kinds of excuses that BA (and plenty of others) have made.
"It was sophisticated". So? In most cases, hacks of this level are not a 5 minute job but then a jeweller wouldn't justify a burglary because picking a lock was "sophisticated", it is a known risk and something that a jeweller would mitigate against (they put expensive things in a vault). The truth was, scripts were injected into a page and there are a number of steps that could have prevented this from working correctly, including Content Security Policy - particularly but which were probably not implemented because, in most cases, marketing get the ability to force their scripted crap into loads of pages. Even if they want the marketing scripts, all you have to do is have a secure area of the site which is prohibited from having tracking scripts and simply takes cardholder data.
"We cooperated with the investigation". So? If you didn't, you should have been locked up. This is no excuse and no real mitigation in my opinion. You almost certainly co-operated to get the full support of the UK government in the investigation rather than it was just the right thing to do.
"It is a massive fine". Yes it is and until we have people with the teeth to implement painful punishment, nothing will change. Why would it? I remember when driving without car insurance had a maximum fine of £500. My first years car insurance cost me £835 so you might imagine that insurance was not really necessary from a numbers point of view. The reality is that companies do indeed take security or risk decisions based on money alone, and it kind of makes sense: Do we spend £100M on this security system or risk the £5M fine if it all breaks? Now that the balance is moving towards "do something" rather than don't, we might have some more motivation.
That is not to say the scenario is not without problems. The truth is there is a massive lack of genuine or verifiable skills in the security industry. In some cases, there is not even a concensus on basics like the best password hashing algorithms or which security appliances touted by the industry are worth it and which are not.
I heard about an organisation that spent £5M on a security application firewall but couldn't maintain it to a suitable level so they simply switched it off! Too much security noise is also not helpful.
I still really want the industry to grow up and start tying together the various credentials and certifications together a bit like law or medicine, so that these things start to mean something. We can then appraise the industry as a whole and measure whether the training and certification needs improving/changing etc.