British Airways has been fined £ 20 million by the British regulator ICO for not having its security in order. Among other things, the company stored sensitive data unencrypted.
The Information Commissioner’s Office came to the fine of 33 million euros after an investigation into a large-scale data breach in 2018, in which personal data of 380,000 people was stolen, including credit card details including CV numbers. The privacy authority describes the course of the hack of the payment systems and lists where things went wrong with security.
The attackers managed to gain access to British Airways’ networks using account information from a Swissport employee. From there, the attackers managed to get tools within the Citrix environment that they could use to screen the network. For example, they discovered a login name and password of an administrator account that were stored in plain text and that, according to the ICO, gave almost unlimited access to the domain.
For example, the attackers were able to log into multiple servers and on July 26, 2018, they were able to access log files with, again in plain text, stored credit card information, including CV numbers. Thanks to a test function that went live due to human error, the credit card data had been logged so unencrypted since December 2015. The retention period was limited to 95 days, which limited the damage somewhat, but the data of 108,000 cards was still so insightful.
The fine is much lower than the amount of 183 million pounds that the ICO threatened with last year, partly because the aviation sector is in financial difficulties due to the corona pandemic. During the talks over the amount of the fine, British Airways called credit card data breaches to the ICO “a completely mundane phenomenon.”