Since its implementation in 2018, GDPR has changed the way in which businesses are expected to handle and secure data. With the ICO announcing this week that it is intending to fine British Airways £183 million for its 2018 data breach, our latest blog post takes a look at the risks being faced and the precautions organisations should be taking to mitigate the effects of a cyber-attack.
So, why the record breaking fine?
Back in September 2018, BA disclosed that its website had been hacked and that the personal details of approximately 500,000 customers had been obtained by cyber criminals. The hackers infiltrated the BA website and diverted traffic to a fraudulent website which allowed personal data (including names, email addresses and credit card information) to be gathered. In its report, the ICO has summarised that BA’s security arrangements were poor.
Following the announcement of its intent to impose a record breaking fine on BA, the ICO announced that its investigations into the Marriott data breach had resulted in it proposing a £99.2 million penalty due to its breach of GDPR. 30 million guest records were hacked with information regarding credit card details, passport numbers and dates of birth stolen. The ICO stated that Marriott had failed to undertake sufficient due diligence to make sure IT systems were secure.
Since GDPR’s implementation, the ICO has had the power to impose fines of up to 4% of an organisation’s turnover. Previous to GDPR, the maximum fine possible for mishandling data had been £500,000; Facebook was fined this amount due to its role in Cambridge Analytica. BA’s fine, set to be imposed by the ICO, reflects 1.5% of its 2017 turnover; the numbers alone prove how seriously information security and data protection is being treated under the GDPR rules – organisations are sure to feel the impact of mishandling data.
What are the biggest risks to businesses?
According to a 2018 Defense Cyberthreat report, the weakest links within IT security are containers, mobile devices and cloud infrastructure. With 77% of organisations having been victimised by one or more successful cyber-attacks, it’s inevitable that hackers will try and infiltrate your network to gather as much data as possible. IT structures are often left vulnerable with businesses underestimating the sophistication and complexity of malware and the number of hacking practices used by professional cyber hackers.
With a plethora of personal data being stored in the cloud by travel companies, cloud security is quickly becoming a cyber-attack target with many businesses not realising that it is their own responsibility to protect the data stored on a public cloud. With technology evolving at a rapid pace, many organisations have implemented processes and workflows without fully understanding the opportunities being presented to hackers through infrastructure weaknesses.
Not to be underestimated, the cyber-threat posed by under-trained staff poses a real risk to companies. Spear-phishing is a widely adopted means for cyber-attack; spear-phishing is when cyber criminals take time to gather information about their target to increase the authenticity of their emails. This can often result in employees inadvertently engaging with fraudulent emails and imparting secure and confidential information. Although this may seem basic, many phishing emails are extremely realistic and do not bear the traditional hallmarks of a scam email (i.e. poor spelling, incorrect branding, masking email addresses). Many cyber criminals have improved the quality of their work, making it very difficult for staff to distinguish a genuine email from a cyber-attack.
What can your organisation do to prepare for a cyber-attack?
Because of this inevitability, businesses must have the correct safeguards in place to mitigate the impact of a cyber-attack; a substandard solution could leave a company’s cyber doors wide open to a large data breach, resulting in repercussions to consumers and brand/reputational damage. The ICO has made its stance very clear in its BA/Marriott rulings: it will not tolerate poor security efforts. Without evidencing rigorous security precautions and solutions through certification, companies are left exposed to hefty fines from the ICO in the event of a data breach.
Many organisations, especially within the travel sector, are turning to cyber-security specialists to protect the reams of customer data required to process the services being provided. Not only is it important to safeguard data and its storage (both on-prem and in the cloud), businesses must place importance on protecting their websites to prevent a BA-type hack. Quick and simple solutions are no longer enough to mitigate the impact of a cyber-attack – as cyber criminals have grown in sophistication, so must the preventative solutions. Businesses should be seeking professional and specialist guidance to execute a complex and personalised security infrastructure along with certifying security standards and implementing specialised cyber training for staff.