The UK data protection regulator, the Information Commissioner’s Office, has issued a monetary penalty to £20m on British Airways in connection with a cyber-attack which took place in 2018. In the ICO’s view there was a failure to process personal data in a manner that ensured appropriate security, as required under Articles 5(1)(f) and Articles 32 of the GDPR.

The incident commenced with a “supply chain attack” where BA’s network was accessed by an attacker using compromised credentials of a user within a third party supplier to BA. After successful lateral movement within the BA network, and attaining administrative privileges, the attacker altered web forms to redirect customer payment card data to a website owned and controlled by the attacker. The incident involved the personal data of more than 400,000 customers being accessed by the attacker.

The ICO’s comments within the monetary penalty notice provide an insight into the security measures expected in relation to a range of issues such as remote access authentication, privilege management, logging and monitoring, and vulnerability scanning/ pen testing.

The ICO’s assessment of the breach

The cyber-attack took place between June and September 2018. In the current remote working environment the ICO’s comments regarding remote access and security measures are particularly relevant to organisations now.

The attacker initially gained access to BA’s internal systems through the use of compromised remote access credentials used by a third party supplier to BA, which were not subject to multi-factor authentication. Once inside the BA network, the attacker was able to gain higher levels of access and control in order to extract individual customers’ personal data, and ultimately redirect data to a different website to obtain customer payment data on an ongoing basis for several weeks.

A third party informed BA that data was being re-directed, and within 2 hours of becoming aware BA had contained the vulnerability and blocked the URL for the malicious site. However, notwithstanding the security measures BA had in place at the time, the ICO found that BA had failed to put in place appropriate technical and organisational measures to ensure appropriate security of its customers’ data in this context. In particular, the ICO highlighted the following:

  • Initial access / supply chain attack. Whilst setting security standards for third-party suppliers is commendable, in the ICO’s view these need to be backed up by appropriate technical measures – in this remote access context, either multi factor authentication or an appropriate alternative (e.g. external public IP address whitelisting or IPSec VPN).
  • Breaking out of remote access gateway. In the ICO’s view there should have been an up to date risk assessment of the remote access gateway (or the applications accessed through the gateway) to ensure these were secure. Although the decision suppresses some of the relevant detail, in this context in the ICO’s view the particular vulnerability exploited by the attacker was well documented. The ICO stated that steps such as application whitelisting (e.g. only certain programs or apps can be run by individuals with access via a specific route), blacklists (e.g. blocking certain apps) and application/server hardening (e.g. reducing vulnerabilities by removing access to features not required for the purpose the access is granted) would have been appropriate measures to take.  The ICO highlighted in particular the importance of rigorous testing, including simulating where an attacker has access to the network, as a way of detecting and addressing many of the issues it identifies in its monetary penalty notice.
  • Preventing, limiting and detecting lateral movement. In the ICO’s view BA had not taken appropriate steps to mitigate the risk that, once inside the network, an attacker could gain further access to valuable data and systems, including storing privileged administrator credentials in unencrypted plain text files and inadequate protection and monitoring of privileged accounts. The ICO emphasises several times the importance of the principle of “least privilege”, and that system administrator accounts should only be enabled, where necessary, on a case by case basis. In relation to detection measures, in the ICO’s view a key detection measure would have been appropriate logging/monitoring of use of admin accounts for unusual activity.
  • Unnecessary retention of cardholder data. The attacker was able to access log files, in plain text which contained payment card detail. The logging and storing of card details (including CVV numbers) was not an intended design feature and was not required for the business purpose. The ICO noted this was a testing feature that was left activate once the systems went live, due to human error (although such information was only retained for 95 days). In the ICO’s view implementation of industry-standard manual code review would have prevented this error, and in light of the Payment Card Industry Data Security Standard (“PCI DSS”) CVV numbers should not have been logged at all.
  • Protection of website code. Although there were change management controls in place to manage changes to website code, in the ICO’s view there were insufficient measures in place to detect unauthorised changes to the website code. In the ICO’s view measures to detect this type of malicious activity could have been put in place, including file integrity monitoring, which allows the system to detect and alert an organisation to changes being made to its code.

In light of these technical issues, the ICO found that BA had failed to process its customers’ personal data in a manner that ensured appropriate security.

The comments from the ICO provide an indication of the security measures expected to protect against similar attacks, in particular the expectation that multi-factor authentication (or an appropriate alternative) is used for remote access, even where the system being accessed does not itself contain personal data (e.g. where this could lead to further access to other systems which do contain personal data and/or allow an attacker to unlawfully access personal data).

Calculation of the penalty

The ICO held that a financial penalty was appropriate because in its view this was a serious contravention, a large number of individuals had been affected and there was a degree of damage or harm to those individuals. Key factors in determining the initial level of the penalty included the fact that BA was only alerted to the issue by a third party, the likelihood that many affected individuals would have suffered anxiety and distress as a result of the breach, and the duration of the breach. The ICO was not swayed by arguments that (beyond the specific issues which were exploited in this attack) BA’s security as a whole was robust, or that the attacker was particularly sophisticated.

In June 2019 the ICO issued BA with a notice of intent to impose a monetary penalty of £183m. Although not explored in detail in the monetary penalty notice, it appears the reduction from the proposed amount of £183m was a result of the detailed representations and additional information provided by BA, in tandem with the cooperation process whereby the ICO as lead supervisory authority had to consult with other EU authorities regarding its proposed course of action. Much of the decision is dedicated to the ICO’s defence of its approach to the assessment of the penalty (perhaps not surprisingly in light of the significant climbdown from the initially proposed figure).

Following the representations and additional information from BA, the ICO sets out in its monetary penalty notice that the penalty would have been £30m, but was reduced by 20% to £24m on account of mitigating factors such as immediate action taken by BA to minimise damage suffered by data subjects, promptly informing data subjects, the ICO and other agencies.

The monetary penalty was further reduced by £4m to £20m on account of the impact of the COVID-19 pandemic on BA and more generally. Notwithstanding those reductions, this is still the highest monetary penalty issued by the ICO to date.

Interestingly, the ICO directly addressed the point that under the GDPR breach of the requirements in relation to technical and organisational security measures under Article 32 of the GDPR is subject to a maximum of 2% of annual worldwide turnover of the preceding financial year or €10m (whichever is greater), whereas breach of the integrity and confidentiality principle under Article 5(1)(f) is subject to a maximum fine of 4% of annual worldwide turnover of the preceding financial year or €20m (whichever is greater). The ICO made clear in its monetary penalty notice that because Article 5(1)(f) has been breached, it is able to impose a monetary penalty under the 4%/€20m tier and is not restricted to the 2%/€10m tied because Article 32 has also been breached.

Author

Paul is head of cybersecurity in the UK and a key member of our wider data protection team. For 15 years, Paul has guided clients through all types of major data security incidents as well as complex technology and data disputes. Paul pioneered an award-winning data breach and dark web scanning tool which was the first product of its kind in the legal market.

Author

David’s extensive experience in the IT and communications sector includes long-term technology services, outsourcing, software/systems procurement and development, and privacy and data protection. He focuses principally on dispute resolution in the field of technology and outsourcing contracts, and has represented numerous major suppliers and customers in contract renegotiation. He is a partner in the London office.

Author

Ben advises clients in a wide range of industry sectors, focusing in particular on data protection compliance, including healthcare, financial services, adtech, video games, consumer and business-to-business organisations. Ben regularly assists clients with global data protection compliance projects and assessments as well as specific data protection challenges such as international transfers and data security breaches. Ben is also regularly involved in drafting and negotiating data protection clauses in agreements for various clients in a wide range of industry sectors. Ben also regularly advises clients on electronic direct marketing and cookies.

Author

James is a Senior Associate in the London Technology team. James advises on a wide range of contentious and non-contentious matters across a variety of industry sectors. His practice primarily consists of advising on commercial contracting arrangements, IT and business process sourcing, technology disputes, data protection and other regulatory issues. James has also been seconded to the network sharing and IT procurement team of a mobile network operator, the operations and technology procurement team of a mobile network operator and to the IP agreements and licensing team of a leading international oil company.