Updated: Aug 29, 2019
British Airways is one of the latest, large well known brands to be hit with a data breach. In this case, a security issue related to the ba.com website caused the breach of a half million records of UK citizens. This may be the worst data privacy event since the advent of GDPR a little over one year ago.
At the time GDPR came into effect, I blogged about it quite a bit. You may review those posts if you wish. I've linked to them below.
In the case of this breach, British Airways is facing the largest fine to date, imposed under GDPR, approx. $230 million US dollars ( £183 million GBP). It's a staggering amount and a clear warning to any company that must comply with GDPR.
There has been a lot written about this over the past day. I find the following quote, from an article posted on Dark Reading yesterday to be the most important statement I've read to date:
"If a business the size of BA can be found wanting, smaller companies should be asking themselves whether their data security arrangements are up to scratch," said Susan Hall, an IT and data protection specialist lawyer and partner at Clarke Willmott, in a statement. "This reinforces the importance for businesses of having robust terms and conditions with anyone to whom they contract website development and hosting, and of carrying out penetration testing and constant security monitoring of all interfaces through which attacks can be launched."
When I talk about Realistic Cybersecurity, the quote above gets to the heart of the matter. British Airways spends a lot on cybersecurity. Despite that spend and all the expertise and technology they bring to bear, this happened. They missed a critical attack vector and they got hurt by the oversight. Sometimes, you need to bring things back to the basics. Start with simple, straight forward questions. Be sure you aren't forgetting about that little used doorway down the hall that leads right to the crown jewels. As stated above, be sure you have appropriate agreements in place to limit your exposure. Understand your risk factors. You can't afford to ignore even the most remote possibility in this day and age.
As promised, here are links to some of my other GDPR posts: