British Air fined $34 million for data breach, making this ICO’s biggest financial penalty EVER

British Air fined $34 million for data breach, making this ICO’s biggest financial penalty EVER

British Airways has been fined the equivalent of CA$34 million for a 2018 data breach that affected Over 490,000 passengers and BA employees worldwide. 

The Information Commissioner's Office (ICO) announced the penalty on Friday, stating that the failure to protect personal data under the new European General Data Protection Regulation (GDPR) was "unacceptable", resulting in the largest financial penalty imposed by the regulator. 

Information Commissioner Elizabeth Denning said in a statement, "People submitted their personal details to BA and BA failed to take adequate measures to preserve those details." "Their failure to act was unacceptable and affected hundreds of thousands of people, which may have resulted in some concerns and crises." 

This was less than the proposed CA $ 300 million last year. The ICO stated in its decision that the penalty could be higher because it was not for the financial impact of the COVID-19 crisis. 

The attack can be considered a classic example of a third-party supply chain attack. On June 22, 2018, an anonymous attacker used the username and password of a Trinidad-based employee of Swissport, BA's cargo handler, to use the Airlines' Citrix remote access gateway and its IT system. 

Eventually, the attacker edited a JavaScript file on BA's website to take a copy of the travelers' cardholder data to a phonic lookalike domain where it was captured. 

It was not clear from what the commissioner considered that the airline would have ever detected a breach. An anonymous third party informed BA that the data was being boycotted and the attack ceased on September 5, 2018. 

The ICO also concluded that "BA was negligent in maintaining an operating system that was ... prone to significant weaknesses and deficiencies." 

“The size and profile of a company BA is expected to be aware of is likely to be targeted by attackers, sophisticated or otherwise. BA should be aware that the nature of its business involves processing large volumes of personal data, including sensitive data, ”the ICO said. 

"The risk of any compromise of that information could have significant consequences for BA's customers and their own businesses. 

In view of these factors, the commissioner would have expected BA to take appropriate steps or take appropriate steps to secure the personal data of its customers. "But the airline did not take all appropriate measures," the report concluded. 

The full report details the attack, but the information is certainly blanked out, presumably to keep potential attackers away from exploiting the airlines' infrastructure. In short, the Swissport credential used by the attacker was one of five that was somehow obtained. 

The Citrix login system allowed access to 243 applications, 13 of which were not protected with multi-factor authentication. BA has a policy requiring MFA for all remote network access. 

The report states that BA has not given a satisfactory explanation as to why some applications do not have to follow the MFA policy. BA's response to an ICO question on it has been terminated.

It is unclear how the attacker was able to break the Citrix environment to gain a wider network of BA. The airline has a theory, but is one of the black-out sections. 

However, the suggestion is that the attacker copied several devices in the Citrix environment. Once the attackers roamed outside until they were able to gain the credibility of a privileged domain administrator account whose login details were stored in the plaintext. 

The report stated that the attacker captured the credibility of a database system administrator and entered multiple servers, according to the report, looking for valuable data. 

They came in a Playtext log file with payment card details for the BA C redirection transaction, which also included some CVV numbers. 

This was clearly test data that should have been encrypted. Capturing this data had been running automatically since 2015. Fortunately, the report states, the file only organizes transactions for the last 95 days. Unfortunately, this amounted to 108,000 payment cards. 

The attacker was eventually able to compromise the BA's website, where passengers bought tickets online and skimmed the card information. 

The attacker may have obtained information on 490,000 persons, including the names, addresses, card numbers and CVV numbers of 24,000 people; 77,000 card and CVV numbers; 108,000 card numbers only; User and BA staff passwords; And usernames and PIN numbers of 612 BA Executive Club accounts.