The UK data protection regulator, the Information Commissioner’s Office, has issued a monetary penalty to £20m on British Airways in connection with a cyber-attack which took place in 2018. In the ICO’s view there was a failure to process personal data in a manner that ensured appropriate security, as required under Articles 5(1)(f) and Articles 32 of the GDPR.
The incident commenced with a “supply chain attack” where BA’s network was accessed by an attacker using compromised credentials of a user within a third party supplier to BA. After successful lateral movement within the BA network, and attaining administrative privileges, the attacker altered web forms to redirect customer payment card data to a website owned and controlled by the attacker. The incident involved the personal data of more than 400,000 customers being accessed by the attacker.
The ICO’s comments within the monetary penalty notice provide an insight into the security measures expected in relation to a range of issues such as remote access authentication, privilege management, logging and monitoring, and vulnerability scanning/ pen testing.
The ICO’s assessment of the breach
The cyber-attack took place between June and September 2018. In the current remote working environment the ICO’s comments regarding remote access and security measures are particularly relevant to organisations now.
The attacker initially gained access to BA’s internal systems through the use of compromised remote access credentials used by a third party supplier to BA, which were not subject to multi-factor authentication. Once inside the BA network, the attacker was able to gain higher levels of access and control in order to extract individual customers’ personal data, and ultimately redirect data to a different website to obtain customer payment data on an ongoing basis for several weeks.
A third party informed BA that data was being re-directed, and within 2 hours of becoming aware BA had contained the vulnerability and blocked the URL for the malicious site. However, notwithstanding the security measures BA had in place at the time, the ICO found that BA had failed to put in place appropriate technical and organisational measures to ensure appropriate security of its customers’ data in this context. In particular, the ICO highlighted the following:
- Initial access / supply chain attack. Whilst setting security standards for third-party suppliers is commendable, in the ICO’s view these need to be backed up by appropriate technical measures – in this remote access context, either multi factor authentication or an appropriate alternative (e.g. external public IP address whitelisting or IPSec VPN).
- Breaking out of remote access gateway. In the ICO’s view there should have been an up to date risk assessment of the remote access gateway (or the applications accessed through the gateway) to ensure these were secure. Although the decision suppresses some of the relevant detail, in this context in the ICO’s view the particular vulnerability exploited by the attacker was well documented. The ICO stated that steps such as application whitelisting (e.g. only certain programs or apps can be run by individuals with access via a specific route), blacklists (e.g. blocking certain apps) and application/server hardening (e.g. reducing vulnerabilities by removing access to features not required for the purpose the access is granted) would have been appropriate measures to take. The ICO highlighted in particular the importance of rigorous testing, including simulating where an attacker has access to the network, as a way of detecting and addressing many of the issues it identifies in its monetary penalty notice.
- Preventing, limiting and detecting lateral movement. In the ICO’s view BA had not taken appropriate steps to mitigate the risk that, once inside the network, an attacker could gain further access to valuable data and systems, including storing privileged administrator credentials in unencrypted plain text files and inadequate protection and monitoring of privileged accounts. The ICO emphasises several times the importance of the principle of “least privilege”, and that system administrator accounts should only be enabled, where necessary, on a case by case basis. In relation to detection measures, in the ICO’s view a key detection measure would have been appropriate logging/monitoring of use of admin accounts for unusual activity.
- Unnecessary retention of cardholder data. The attacker was able to access log files, in plain text which contained payment card detail. The logging and storing of card details (including CVV numbers) was not an intended design feature and was not required for the business purpose. The ICO noted this was a testing feature that was left activate once the systems went live, due to human error (although such information was only retained for 95 days). In the ICO’s view implementation of industry-standard manual code review would have prevented this error, and in light of the Payment Card Industry Data Security Standard (“PCI DSS”) CVV numbers should not have been logged at all.
- Protection of website code. Although there were change management controls in place to manage changes to website code, in the ICO’s view there were insufficient measures in place to detect unauthorised changes to the website code. In the ICO’s view measures to detect this type of malicious activity could have been put in place, including file integrity monitoring, which allows the system to detect and alert an organisation to changes being made to its code.
In light of these technical issues, the ICO found that BA had failed to process its customers’ personal data in a manner that ensured appropriate security.
The comments from the ICO provide an indication of the security measures expected to protect against similar attacks, in particular the expectation that multi-factor authentication (or an appropriate alternative) is used for remote access, even where the system being accessed does not itself contain personal data (e.g. where this could lead to further access to other systems which do contain personal data and/or allow an attacker to unlawfully access personal data).
Calculation of the penalty
The ICO held that a financial penalty was appropriate because in its view this was a serious contravention, a large number of individuals had been affected and there was a degree of damage or harm to those individuals. Key factors in determining the initial level of the penalty included the fact that BA was only alerted to the issue by a third party, the likelihood that many affected individuals would have suffered anxiety and distress as a result of the breach, and the duration of the breach. The ICO was not swayed by arguments that (beyond the specific issues which were exploited in this attack) BA’s security as a whole was robust, or that the attacker was particularly sophisticated.
In June 2019 the ICO issued BA with a notice of intent to impose a monetary penalty of £183m. Although not explored in detail in the monetary penalty notice, it appears the reduction from the proposed amount of £183m was a result of the detailed representations and additional information provided by BA, in tandem with the cooperation process whereby the ICO as lead supervisory authority had to consult with other EU authorities regarding its proposed course of action. Much of the decision is dedicated to the ICO’s defence of its approach to the assessment of the penalty (perhaps not surprisingly in light of the significant climbdown from the initially proposed figure).
Following the representations and additional information from BA, the ICO sets out in its monetary penalty notice that the penalty would have been £30m, but was reduced by 20% to £24m on account of mitigating factors such as immediate action taken by BA to minimise damage suffered by data subjects, promptly informing data subjects, the ICO and other agencies.
The monetary penalty was further reduced by £4m to £20m on account of the impact of the COVID-19 pandemic on BA and more generally. Notwithstanding those reductions, this is still the highest monetary penalty issued by the ICO to date.
Interestingly, the ICO directly addressed the point that under the GDPR breach of the requirements in relation to technical and organisational security measures under Article 32 of the GDPR is subject to a maximum of 2% of annual worldwide turnover of the preceding financial year or €10m (whichever is greater), whereas breach of the integrity and confidentiality principle under Article 5(1)(f) is subject to a maximum fine of 4% of annual worldwide turnover of the preceding financial year or €20m (whichever is greater). The ICO made clear in its monetary penalty notice that because Article 5(1)(f) has been breached, it is able to impose a monetary penalty under the 4%/€20m tier and is not restricted to the 2%/€10m tied because Article 32 has also been breached.