What’s happened?

British Airways is facing a record fine of £183 million, after its systems were breached by hackers last year and the personal and payment card information of around 500,000 customers were stolen.

183 million quid!? That sounds huge!

Yes, it’s the biggest fine ever handed out by the UK’s Information Commissioner’s Office (ICO).

In comparison, the ICO smacked Facebook’s wrist with a £500,000 fine over the Cambridge Analytica scandal (which amounts to less than ten minutes’ worth of revenue for the social networking giant.)

Why is British Airways being fined so heavily in comparison?

Well, it’s important to know that British Airways hasn’t been fined yet. The ICO has only published its notice of intention for the proposed fine. British Airways has the next 28 days to appeal, and the ICO says it will listen to their representations before making a final decision.

However, you’re right – there’s a great disparity between the two fines. The reason is very simple, the British Airways breach occurred after GDPR regulations came into force last year.

Under the General Data Protection Regulation, firms can now be fined up to 4% of their annual worldwide turnover or €20 million (whichever is greater). The fine proposed by the ICO against British Airways amounts to 1.5% of its global turnover in 2017.

In other words, British Airways could have been facing an even larger penalty.

So this isn’t just bad news for British Airways, it’s scary for all businesses

Sorry, but GDPR wasn’t introduced to make companies with lax security sleep easily at night. It was designed to protect the privacy of individuals, and encourage firms to treat customer data with the utmost care.

If there’s no other way to get businesses to understand the importance of properly securing the customer data they have been entrusted with, then you can hardly blame European data protection authorities for taking action.

So what actually happened to British Airways?

Hackers breached British Airways’ systems and planted a maliciously modified version of the Modernizr JavaScript library on the airline’s payment page.

The poisoned code uploaded data entered by customers via BA’s website or mobile app to a third-party server called baways.com, skimming names, billing addresses, email addresses, and card payment information including card numbers, expiry dates and CVV codes. You can read more about this in a technical analysis on RiskIQ’s blog.

How might British Airways have prevented the data breach?

Precisely how the hackers managed to gain access to British Airways’ infrastructure to plant the malicious code in the first place hasn’t been made public. However, what’s clear is that for a period of time they failed to notice that a JavaScript library used in their website’s payment flow had been tampered with.

File Integrity Monitoring (FIM) can detect changes in files that may signal that a system has been hacked. An unauthorised modification to a key file used on a website’s payment checkout page should trigger an alert and initiate an urgent investigation.

Any unauthorised change needs to be treated as highly suspicious, and steps taken to identify when it changed, who made the change, how it has changed, and – of course – what can be done to restore systems back to a proper working (and hopefully secure) state.