The monster BA hack, in which almost 400,000 payment cards details were hacked, may well have slipped from the headlines but to be sure the seismic rumblings are still sending shockwaves through industries of all shapes and size.
If BA had deliberately set out to get data protection so wrong it couldn’t have done any better. BA's boss, Alex Cruz described the hack as, “A very sophisticated, malicious attack.”
Sophisticated or simple?
Well it was certainly malicious but whether it was sophisticated we’ll find out soon enough. An educated guess suggests it was via malicious code inserted into third party script. This is a logical conclusion given that the payment card data was apparently lifted as transactions were being made.
Most websites today have integrated third party scripts from a variety of sources. Often these scripts, loaded from vendor servers such as ad servers, analytics, or marketing, lack the level of security needed to protect visitors to the site.
If attackers discover vulnerabilities in third party script they can embed malicious code that can snoop and then steal information, such as credit card data when payments are being made. Because third party code is only activated on a visitor’s web browser, security measures on a company’s main site’s web server can be bypassed.
Couldn’t have been much worse
However, the bigger question which no doubt many organisations will be keeping a wary eye on, is; how will the Information Commissioner’s Office (ICO) respond in terms of the recently introduced General Data Protection Regulations (GDPR)?
For one thing the hack couldn’t have been much worse in terms of the stolen data - names, billing addresses, email addresses and all bank card details. In one sense this means BA meets the ‘failure’ requirement which would allow the ICO to hit it with a whopping 4% of turnover fine if it determines BA was wilfully neglectful.
For BA’s parent company, International Airlines Group (IAG), this could equate to approximately £810 million. On the other hand, if the ICO generously interprets the hack as a failure to comply with GDPR mandates it could be hit with a lesser fine of 2% of global turnover, approximately £405 million.
BA was clearly struggling with cyber security demands ahead of the hack. IAG was planning to outsource BA cyber security to IBM after conceding it needed a strategic and proactive approach to counter threats. As such BA expected to transfer the majority of its cybersecurity functions to IBM.
We can’t read too much into this but it’s fair to say that the need for a ‘strategic approach’ suggests it had an ad hoc and reactive approach. This will be very familiar to many large organisations. While cyber security has risen up organisational agendas, many still find themselves on the back foot and struggle to contain and manage the many threats they face.
Outsourcing is an effective way to manage this and for some time, financial services in particular, organisations have been drawing on third-party Secure Operations Centres to manage aspects of cyber security such as 24/7 network monitoring.
Post it in a public forum
But BA was also clearly struggling with GDPR across the company. Just before the hack, BA’s social media staff were encouraging customers to post personal data such as their addresses and passport numbers into a public forum.
They didn’t make it clear that the information should be sent via a direct message rather than post it publicly which some customers did. The irony is the BA social media staff said that they needed the information for GDPR compliance.
However, that said at a higher level BA complied with GDPR requirements by notifying customers and the ICO within 72 hours of the hack. This illustrates the power of GDPR and the seriousness with which it is being taken. Previously it was the norm for companies to sit on knowledge of hacks for months before anything was revealed to the world.
Reporting a breach early at least shows an awareness of the seriousness of cyber security even if it cannot be defended against quickly. And in BA’s case it also sets a ‘crisis response’ benchmark for other companies who suspect they will be targeted by attackers at some point.
BA was certainly a carefully targeted attack. The attackers surely sniffed rich pickings and were probably salivating at the prospect of plucking payment cards details from a relatively wealthy customer base.
At the very least, following the BA hack and within the context of GDPR, more organisations will realise it’s a case of ‘when’ they are attacked rather than ‘if’. As a result cyber security will tighten up and crisis procedures will be put in place to mitigate the effects.
Security must move with the times. In practice this means a better approach, in which security is at the heart of every component of every system. In a sense it’s a zero trust model in which organisations adopt a ‘never trust, always verify’ approach. This then protects against a wide range of existing and evolving threats.
Given the demands of GDPR this approach has been given added impetus. It’s a great opportunity for the channel from an education and consultancy perspective and certainly opens the door for greater business opportunities. The key thing today is that increasing numbers of organisations are ever more receptive and even more so in the wake of the BA hack.
Better for customers
A more concentrated focus on cyber security is certainly good news for customers whose data is exposed, even if it did in BA’s case lead to panicked responses. At least customers had the knowledge to take action before their accounts were plundered or to stop damage being done at an early stage.
In the recent past identity thieves were making merry with stolen personal data while victims had no idea their information was being bought, sold and exploited.
The question is though whether the ICO are likely to stick the GDPR message to BA to show the seriousness of the breach and the magnitude of its powers. It’s the million dollar question and who would bet against it?