The security and regulatory implications of British Airways’ data breach and GDPR penalty
Cybersecurity experts Rob Grosvenor, Lorenzo Grillo, Matthew Negus, Kevin Hall, Samita Patel and Stephen Miller of Alvarez & Marsal look at the implications of the ICO's first big GDPR fine.
In October the UK Information Commissioner’s Office (ICO) penalised British Airways (BA) for infringements of the GDPR stemming from a 2018 data breach. The ICO has imposed a £20 million fine. The penalty notice comes more than two years after BA discovered the incident and notified the ICO, and over a year after the ICO issued its Notice of Intent to impose a penalty of £183 million.
The case has garnered significant publicity owing to the unprecedented size of the fine originally proposed. It represents one of the first material incidents assessed by the ICO under the GDPR. In this article we provide a brief overview of the incident, consider the security aspects of the incident itself and discuss some of the key lessons for organisations who may be wondering what this means for their own information security practices.
The incident
Based on the ICO’s investigation, we understand that an intruder/s gained unauthorised access to BA’s internal network by using Citrix Remote Access Gateway (RAG) account credentials belonging to an employee of a large third-party service provider. Thus began an almost three-month long chain of events with the intruder/s infiltrating the BA network, by first accessing and then ‘breaking out’ of the Citrix RAG environment into the wider BA network, and then scouring for vulnerabilities which it found in the form of unencrypted privileged login credentials stored in plaintext.
The intruder/s then co-opted privileged domain administrator and database administrator accounts, enabling effectively unrestricted domain access. They were able to traverse the network unimpeded, accessing log files containing payment card details (including card verification value (CVV) numbers), and altering JavaScript code for the BA website so that customers transacting online had their payment card details diverted to a third-party website controlled by the perpetrator.
A third party made BA aware of the attack. BA acted promptly in blocking the malicious code on the same day it was informed. It notified the ICO the next day, as well as other regulatory authorities in the UK and around the world, law enforcement agencies, multiple US state attorneys general, acquirer banks and payment schemes. The airline also swiftly informed affected customers and took steps to mitigate potential harm by offering to reimburse customers who suffered financial loss as a direct consequence of the breach and free credit monitoring.
All in all, the attack compromised personal data of almost half a million individuals. Personal data included names, addresses, payment card details including CVV, the usernames and passwords of BA employees and the usernames and pins of BA Executive Club members.
The infringements and the fine
After a comprehensive investigation and having considered representations from BA throughout 2019 and into 2020, the ICO concluded that BA had failed to process customer data in a manner that ensured appropriate security as required by Articles 5(1)(f) and 32 of the GDPR. The ICO took into account the adequacy and appropriateness of the measures, the risks that were known or could reasonably have been identified or foreseen and the appropriate measures within Articles 5 and 32 of the GDPR that were not, but could and should have been, in place.
The ICO also concluded that the infringements were of such a serious nature as to warrant a penalty, despite BA’s representations strongly arguing otherwise. The ICO imposed a fine of £30 million, which it reduced twice; first by 20% to £24 million to reflect mitigating circumstances and by a further £4 million after the application of the ICO’s covid-19 policy.
Key lessons
The overarching lesson from this case is that organisations that do not properly understand risks to their systems and their critical information are sitting ducks, vulnerable to attacks by cyber criminals that can have devastating consequences. This is why the UK’s National Cyber Security Centre (NCSC) says that embedding an appropriate risk management regime is the top priority on its list of 10 steps to cyber security. The BA case highlights the importance of a robust approach to cyber security and privacy across the organisation which is endorsed by the board. As well as employing proportionate technical solutions, an agreed risk appetite should inform sound company-wide governance and training. Below are some of the more specific key lessons:
Remote network access (especially for service providers)
Implementing multi-factor authentication - Remote network access through login credentials alone is not considered sufficient, especially when access can be granted to third parties. Multi-factor authentication offers additional security for providing remote access to networks and apps and is advised in National Institute of Standards and Technology guidance on supply chain and identity management. Multi-factor authentication is becoming more widespread and cheaper to implement.
Restricting applications - When provisioning third-party network access, application whitelists and blacklists should be configured to ensure third parties only have access to the systems that are critical to the service each partner supplies. This also makes it more difficult for malicious intruders by limiting the available entry points for attack. In this regard, the ICO referenced its Security Outcome guidance, highlighting the importance of limiting access rights to users who reasonably need access to perform key functions and to remove access when it is no longer needed.
Testing - Other recognised network protection controls include only running services that are absolutely necessary so as to limit the routes through which malicious parties could compromise systems on a network, and to conduct appropriate periodic penetration testing.
Deviation from security policies
Policy deviations and alternative controls - Circumstances may arise that legitimately require organisations, especially those with large and complex IT environments, to deviate from security policies. Any exceptions or deviations should be documented following a risk assessment, and organisations should still consider the feasibility of implementing alternative compensating controls. This highlights the unfavourable view a regulator will likely take if an organisation does not suitably document deviations to its policies.
Managing policy exceptions - It is not uncommon for large organisations to deviate from one or more policies on occasion, for example in regards to different business lines or systems and where third parties may be unable to provide compatible security controls. However, it is important to record exceptions to policy requirements in order to monitor the cumulative risk of multiple deviations that can lead to a build-up of enterprise security risk. Procedures for evaluating and approving policy exceptions and deviations should themselves be subject to periodic reassessment, particularly those approved prior to new regulations such as the GDPR coming into force.
Managing privileged administrator accounts
Protecting privileged accounts - Privileged accounts require additional protections, given that they ordinarily grant the user unlimited access to a system and the consequences of misuse can be wide-ranging and severe. The ICO details a range of appropriate measures to prevent attackers from obtaining privileged access, which included avoiding storing passwords in unencrypted plain-text, implementing separate accounts for administrators, and delegating privileges based on the principle of “least privilege”. Plain-text password storage may be administratively convenient but is not considered good practice.
Privileged access management - It is important to monitor log-in attempts to privileged accounts and how those accounts are used. Policies and procedures for the enabling and use of privileged administrator accounts should be subject to periodic review. Tools to monitor the enabling and disabling of accounts, which offer failed log-in attempt alerts, should be implemented. Privileged access management monitoring tools and user access management methodologies, such as those included in NIST and ISO27001, should inform senior management decision-making in this area.
Network monitoring, logging and alerts
Monitoring and detection measures - Preventative measures may not be enough and attackers could still successfully infiltrate a network. In these cases, organisations must rely on measures for detecting suspicious activity. Such measures include network monitoring and detection systems that raise alerts to suspicious activity like multiple failed log-in attempts, unauthorised access, unauthorised use of accounts and applications.
Network logs - The ICO considers network logging to be an appropriate measure and referred to NCSC guidance on logging for security purposes, which describes it as the foundation on which security monitoring is built. These measures can be implemented through Security Information and Event Management Systems.
The fine is a clear message that regulators will come down hard on cybersecurity issues where they feel it is necessary. No single error that led to the data breach; rather, a series of events ultimately caused the company significant financial loss. Combined with the cost of protracted negotiations and associated reputational damage, cybersecurity failings can evidently be hugely expensive.