British Airways Faces Record £183m Fine For Data Breach (Jul 8, 2019)
The airline British Airways has been fined £183 million pounds after a 2018 breach of their system. Using a fake website, users were diverted to a site that stole the data of about 500,000 customers including address, login, name, payment card and travel details. The fine was due to British Airways not protecting against loss, damage or theft, with the highest fine since GDPR (General Data Protection Regulations) laws were enacted in April 2018. While British Airways claim there is no evidence of any fraudulent activity on the accounts that had been breached, reports from customers believe attempts were made.
Recommendation: Exposing customer information can lead to a violation of the General Data Protection Regulation (GDPR) that was implemented by the European Union (EU) in 2018. GDPR applies to organisations located within and outside the EU that hold the data of subjects residing in the EU. Article 4 of GDPR broadly defines “Personal Data” as “any information relating to an identified or identifiable natural person.” Failing to protect customer data and disclosing any leaked information to affected clients can result in affected entities filing a complaint to the Data Protection Authority (DPA). Entities can be in subject of “administrative fines up to 10 000 000€ EUR, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.”
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.