The European Union’s General Data Protection Regulation (GDPR) is showing its teeth. Today Britain’s Information Commissioner’s Office (IOC) announced they are fining British Airlines (BA), a part of International Airlines Group (IAG), $229.4 million dollars (£183.39 million pounds) for a data breach that exposed personal details and credit card numbers of up to 380,000 customers.
The breach happened between August 21, 2018 and September 5, 2018. Customers who booked flights on the airline’s website or mobile app had personal information stolen.
Magecart, a group of notorious hackers specializing in credit card theft, is credited with the attack. The group attacks poorly secured websites, especially online eCommerce platforms, they are also known for using digital credit card skimmers to secretly insert malicious code into the checkout page of a compromised website that then captures payment details of customers and sends it to a remote server. Magecart groups have also been responsible for breaching sites belonging to high-profile companies like TicketMaster and Newegg, in addition to sites belonging to other small online merchants.
In a recently released statement, the ICO said an extensive investigation found that poor security arrangements at the company, including names, addresses, logins, payment card data, and travel booking details were compromised.
“People’s personal data is just that – personal. When an organization fails to protect it from loss, damage or theft, it is more than an inconvenience,” Information Commissioner Elizabeth Denham said. “That’s why the law is clear – when you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
The data breach took place several months after GDPR became effective. The quarter of a billion-dollar fine is equivalent to 1.5% of the company’s worldwide revenue for its 2017 financial year. A maximum fine of 4% is possible in these cases. The ICO stated that BA cooperated with its investigation and made improvements to the security environment since the data breach came to light.
“SecureNation provides solutions to companies that have been breached”, CEO Jon Davis discussed, “but helping our customers find the right combination of protection before a breach is our passion. The new laws and fines are here and serious. With the right solutions we can prevent attacks, saving our customers time, reputations, legal issues, and costly fines.”
Contact SecureNation today and begin the process of securing your organization.
Discover how SecureNation can help you better protect your IT assets.