Following a major security incident that caused the breach of sensitive personal data of over 400,000 individuals (passengers), the British Information Commissioner (“ICO”) the 08/07/2019 communicated to the airline the intention to sanction it for the significant sum of 183.39 million pounds (€ 204M) for violations of art. 32 GDPR.
As per the cooperation mechanism with the other authorities concerned, the ICO as lead authority has now imposed the final penalty 90% less than that originally indicated, equal to £ 25 million (€ 22 million).
The facts
The sanction relates to a cyber incident notified to the ICO by British Airways in September 2018. This incident, which is believed to have begun in June 2018, in part resulted in the hijacking of the data traffic of more than 400,000 users from the website of British Airways (“BA”) on a fraudulent hacked site.
The ICO investigation found that a variety of information, relating, inter alia, to access, payment card management, travel booking details and personal data, was compromised due to inadequate corporate security measures.
Times
The incident, which consisted in the abusive access of malicious third parties to BA’s internal computer network and the exfiltration of highly personal data (data of credit card holders) to a fraudulent website controlled by hackers, lasted for a time frame of over two months, from 22 June to 5 September 2018, the date on which BA became aware of the attack.
Violation
According to the ICO, BA has failed to adopt adequate technical and organizational measures aimed at ensuring adequate protection of data against unauthorized or unlawful data processing and against loss, destruction or accidental damage, as required by ‘article 5, paragraph 1, letter f) and article 32 of the GDPR.
Method of attack
The details of the factual circumstances offer interesting insights and precedents to be taken into due consideration to reduce the risk of a breach of personal data and to optimally manage any data breach. The attack took place remotely using a company tool (CAG) that allows remote access to the network and applications.
1. Access via compromised credentials
The attack began with the attacker gaining access to the login credentials that BA had provided to an employee of a third party service provider (so-called “supply chain attack”). BA was unable to identify how it was possible to acquire the compromised login credentials of the employee’s account of the third party supplier; the compromised account, however, despite being able to access remotely (thus representing an element of vulnerability) was not protected by the use of multi-factor authentication (“MFA” ie a system that limits access to those who can complete a combination of two or more steps).
2. Access to privileged profiles
Following subsequent operations, the attacker was able to access a file containing the credentials (username and password) of the system administrator accounts. The login credentials were stored in clear text in a folder on the server. In theory, any user within the domain in question could have accessed the file and obtained the username and password of the domain administrator.
Access to these system administrator credentials provided the attacker with virtually unlimited access to the compromised domain.
3. Access to credit card data
After a couple of unsuccessful attempts, subsequently, the attacker was able to access the log files, in clear text, containing, among other things, personal data and payment card details for BA repayment transactions of 244,000 individuals, the credit card and CVV numbers of 77,000 individuals and the credit card numbers of 108,000 individuals alone.
4. Unnecessary data
The registration and storage of card details (including, in most cases, CVV numbers) appears not to have been required for any particular business purpose – it was a test function that should only work when systems were not active, but which was then left activated when the systems became active again.
5. Absence of encryption
According to BA, these credit card data were stored in clear text (rather than encrypted form) due to human error, so the details of around 108,000 payment cards were potentially available to the attacker throughout the period in which the data breach was not discovered (over two months).
6. Data redirection on the attacker’s site
In conclusion, the attacker has transferred the data of the passengers’ payment cards to a different website controlled by him, making sure that during this period, when the customers entered the data of the payment card on BA’s website, a copy of the same data was sent to the attacker, without interrupting BA’s normal booking and payment process.
On 5 September 2018, only thanks to the communication of a third party of the fact that the data had been transferred from the BA site to an unknown site, the incident was finally discovered.