British Airways landed with massive GDPR fine
GDPR fines soared to new heights this week as the Information Commissioner’s Office threatened British Airways with a fine of £184m for a significant data breach. Employment law expert Annabel Kaye advises accountancy firms how they can avoid a similar fate.
The Information Commissioner’s Office (ICO) has been investigating a number of large-scale data breaches, and this week’s headline GDPR news is that the body intends to fine British Airways (BA) £183.39m for breaches of data protection law thought to have occurred in June 2018 and reported in September 2018.
The attack, perpetrated by cybercriminal gang Magecart, contained a number of different factors that contributed to the problem:
- Scammers created a false website. BA customers logged into this and inadvertently shared their logins (and possibly more security information).
- 500,000 customer records were compromised over a period of time starting in June 2018.
- Poor security arrangements allowed customer information to be compromised, including payment card details, travel itineraries, names and addresses.
The final amount has yet to be determined as BA and other EU data protection bodies now have to make representations about the scale of the fine. The airline has 28 days to appeal, and in a statement declared itself “surprised and disappointed” by the ICO’s initial finding.
“British Airways responded quickly to a criminal act to steal customers’ data,” continued the statement. “We have found no evidence of fraud/fraudulent activity on accounts linked to the theft.”
If the figure is confirmed, it will be the largest GDPR penalty to date. The fine seems huge, but is unlikely to be terminal for BA and is less than half the 4% of worldwide turnover the ICO is entitled to make. The maximum could have been up to £489m.
Fines received by the ICO are due to go to the Treasury, but the body is exploring whether to ring-fence its penalty income to cover potential litigation costs to defend its decisions.
Could this happen to an accountancy firm?
There are few professional firms with 500,000 customers and prospects on a database. But if you start looking at say 50,000, or even 5,000 customer records, it is quite possible for a similar breach to happen to an accountancy practice.
While the scammers have historically targeted big consumer sites, as those sites progressively lock down their security (or get fined), criminals will move onto smaller databases and sites where the security may be easier to crack.
What should you do?
Check and search
- Do an anonymous Google search for your firm (while you are not logged into your Google browser) and see if any fake websites are using your business name, or your keywords appear.
- Check variations of your URL (website address) carefully. Scammers can clone your logos and words, and the look and feel of your site. All they need to do is change one letter.
- Set up Google alerts for copy that is identical to your opening lines, brand name and so on to get informed if any copy appears that closely resembles yours.
Monitor and review client logins
If you have a portal or website where clients log in and view their own documentation, talk to your supplier about making sure they have two-factor or double-authenticated logins (using an authenticator app or texts), and that this is triggered whenever they attempt to log in from a new device/location/IP address.
Industry insightsView more
This step will make it more difficult for people who have stolen the login information to gain access since they will also have to have stolen their phone or other authentication device.
Set up monitoring and reporting
Sites with customer data on them should have security software that offers you reports. Make sure those are set to notify you of an unusual number of failed logins (those that fail the authentication test). This pattern can indicate that customer login information is compromised. Make sure someone with authority is tasked with identifying what has caused the upsurge.
Discuss with your IT provider what a normal level of security failures is on your site would and make sure that both your and the customer login information is encrypted and securely stored.
Active monitoring is key
GDPR and data security is a process, not a deadline. It is not enough to say, “We were secure a year ago, so we must be now.” The essence of security is to check and monitor regularly.
You will also want to look at whether new security options are available within the software and platforms you use.
There has been a massive improvement in many mainstream software packages and tools, but many require you to turn them on or require their use. Not all security upgrades are automatically applied if they require a change in end-user or customer behaviour.
Annabel co-founded Irenicon in 1980 and during the last 30+ years, managed to juggle being a mother to her two children with advising clients on everything to do with the tough side of HR. From flexible working and parental leave to discrimination and TUPE - she loves the