Sensitive information left exposed with no encryption
British Airways has been fined £20 million (US $26 million) following a data breach which saw its systems hacked and the personal and payment card information of 400,000 customers stolen.
It’s the biggest fine ever handed out by the UK’s Information Commissioner’s Office (ICO), which – by comparison – smacked Facebook’s wrist for a mere £500,000 over the Cambridge Analytica scandal.
But many will consider that British Airways got away lightly, having initially faced a £183 million ICO fine over the breach which occurred in 2018.
British Airways’ fine may be the biggest on record, but it’s still a 90% drop from what it could have been.
Announcing the final penalty, the ICO explained that it had taken into account representations from British Airways and “the economic impact of COVID-19 on their business.”
Reading between the lines, if British Airways’ fortunes hadn’t been hit so hard by the global pandemic then the fine it would have been walloped for its enormous security failure.
And British Airways’ failure was monumental.
Amongst the airline’s blunders identified by the ICO’s redacted report on the incident included:
a failure to enforce the use of multi-factor authentication (MFA) on accounts that provided remote access to British Airways’ internal systems.
a failure to prevent the exploitation of a Citrix vulnerability that allowed the attacker to launch unau ..
Support the originator by clicking the read the rest link below.
