TC957
Topic Author
Posts: 3479
Joined: Wed May 23, 2012 1:12 pm

BA to be fined £183M for last year's data breach

Mon Jul 08, 2019 8:26 am

 
Virtual737
Posts: 608
Joined: Tue Jul 19, 2016 6:16 am

Re: BA to be fined £183M for last year's data breach

Mon Jul 08, 2019 8:33 am

If only that £183M would be spent trying to find / prosecute / exterminate those that committed the real crime.
 
avier
Posts: 894
Joined: Tue Aug 07, 2018 12:38 pm

Re: BA to be fined £183M for last year's data breach

Mon Jul 08, 2019 8:34 am

Does that fine go to the affected parties i.e pax who had their identity/info stolen or to the govts kitty? If the latter, then shame on the govt. Broke countries just trying to milk their larger corporations.
 
Draken21fx
Posts: 199
Joined: Wed Jun 15, 2016 10:38 am

Re: BA to be fined £183M for last year's data breach

Mon Jul 08, 2019 8:44 am

Without trying to take sides the rules were clear for a few years now. As a matter of fact, because of that, some US companies/websites decided to pull out of the EU market.

I do agree with the ouch but it could have been up to 4% and it is not the UK govt's rule but rather an EU rule.
 
KFLLCFII
Posts: 3488
Joined: Sat Sep 11, 2004 7:08 am

Re: BA to be fined £183M for last year's data breach

Mon Jul 08, 2019 9:20 am

Businesses don't pay taxes and fines...Their customers do...

I assume the airline will temporarily reduce or remove the discounted government fare structure to pass the government "fine" onto the government...Which effectively means that UK citizens will be paying the "fine".

Ahh, the joys (consequences) of "progressive" government policies/decisions.
"About the only way to look at it, just a pity you are not POTUS KFLLCFII, seems as if we would all be better off."
 
TYCOON
Posts: 476
Joined: Sun Feb 18, 2007 8:20 pm

Re: BA to be fined £183M for last year's data breach

Mon Jul 08, 2019 9:46 am

KFLLCFII wrote:
Businesses don't pay taxes and fines...Their customers do...

I assume the airline will temporarily reduce or remove the discounted government fare structure to pass the government "fine" onto the government...Which effectively means that UK citizens will be paying the "fine".

Ahh, the joys (consequences) of "progressive" government policies/decisions.



So much with wrong with this line of reasoning... just don't know where to begin!
 
User avatar
zkojq
Posts: 3823
Joined: Fri Sep 02, 2011 12:42 am

Re: BA to be fined £183M for last year's data breach

Mon Jul 08, 2019 9:51 am

Will board members or CEOs lose bonus thanks to this?

"People's personal data is just that - personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience.

"That's why the law is clear - when you are entrusted with personal data, you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."


KFLLCFII wrote:
Businesses don't pay taxes and fines...Their customers do...

Ahh, the joys (consequences) of "progressive" government policies/decisions.

Yes, I hate holding companies accountable for their actions or lack of action.


You say that the customers pay the fine, but by the same standard customers will have enjoyed lower fares thanks to the carrier's under investment in IT during previous years.
First to fly the 787-9
 
davidjohnson6
Posts: 334
Joined: Mon Jun 20, 2016 10:10 pm

Re: BA to be fined £183M for last year's data breach

Mon Jul 08, 2019 10:04 am

The shareholders will get punished in the main, and will demand that IAG strengthen their investment in IT security. The extra IT costs long term will be borne by customers, but it also means in future customers are less prone to credit card or ID fraud

I suspect as well that unless the CIO had been screaming to Alex Cruz about under investment in IT, he/she will now be looking for a new job

While IAG were made an example of, this will also motivate many companies in Europe to be more willing to invest in IT security
You won't hear about this change of mind, but CEOs will be more liberal with IT security spending in future, where previously companies decided it was not a priority. The cost of that additional security is significantly less than the potential value of the fine
 
KFLLCFII
Posts: 3488
Joined: Sat Sep 11, 2004 7:08 am

Re: BA to be fined £183M for last year's data breach

Mon Jul 08, 2019 10:08 am

TYCOON wrote:
KFLLCFII wrote:
Businesses don't pay taxes and fines...Their customers do...

I assume the airline will temporarily reduce or remove the discounted government fare structure to pass the government "fine" onto the government...Which effectively means that UK citizens will be paying the "fine".

Ahh, the joys (consequences) of "progressive" government policies/decisions.



So much with wrong with this line of reasoning... just don't know where to begin!


...Are they going to pull the "fine" out of the pockets of the C-suite?

zkojq wrote:
Will board members or CEOs lose bonus thanks to this?

"People's personal data is just that - personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience.

"That's why the law is clear - when you are entrusted with personal data, you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."


KFLLCFII wrote:
Businesses don't pay taxes and fines...Their customers do...

Ahh, the joys (consequences) of "progressive" government policies/decisions.

Yes, I hate holding companies accountable for their actions or lack of action.

You say that the customers pay the fine, but by the same standard customers will have enjoyed lower fares thanks to the carrier's under investment in IT during previous years.

You just proved my point: They'll pay for it now. (But most likely the average citizen won't see it...The discounted government fare structure will.)

By the way: Unless you're arresting/fining a business' C-suite or employees directly, the only parties to a business you're actually holding accountable are its customers.

Everything else is just "feel-good" government policy.
"About the only way to look at it, just a pity you are not POTUS KFLLCFII, seems as if we would all be better off."
 
Pyrex
Posts: 4631
Joined: Thu Aug 25, 2005 7:24 am

Re: BA to be fined £183M for last year's data breach

Mon Jul 08, 2019 10:15 am

This is like fining a bank for being robbed at gunpoint - effectively robbing BA twice.

And let's be honest, if whatever government bureaucrat decreed this fine actually knew how to protect a network better than BA, who they accused of being incompetent, they would no longer be a government bureaucrat but doing something useful for society instead, like being a highly-paid cyber security consultant.
Read this very carefully, I shall write this only once!
 
SelseyBill
Posts: 709
Joined: Wed Jul 17, 2013 7:38 pm

Re: BA to be fined £183M for last year's data breach

Mon Jul 08, 2019 10:32 am

zkojq wrote:
Yes, I hate holding companies accountable for their actions or lack of action..


........how about holding the; you know; actual criminals to account here? This is getting far too easy to do this sort of thing.

If I was one of these criminals, I would be thinking about trying to hack into the computer of the 'Information Commissioners' Office' just to prove a point.

Im sure BA; like all businesses; can always do more to improve their IT security; but this fine to me smacks of someone getting burgled, and then fining that homeowner because their home security isn't good enough. Its seems typical to me of modern toothless spineless government in these crazy times, that they seek to punish everyone, instead of punishing the actual wrongdoers.

Do we get a tax refund when government departments or agencies get hacked? Didn't think so.........
 
MIflyer12
Posts: 5582
Joined: Mon Feb 18, 2013 11:58 pm

Re: BA to be fined £183M for last year's data breach

Mon Jul 08, 2019 11:27 am

Virtual737 wrote:
If only that £183M would be spent trying to find / prosecute / exterminate those that committed the real crime.


BA's fine isn't supposed to fund law enforcement. The fines are supposed to be deterrents,to, you know, get companies to take data security seriously and implement appropriate measures.
 
smartplane
Posts: 1024
Joined: Fri Aug 03, 2018 9:23 pm

Re: BA to be fined £183M for last year's data breach

Mon Jul 08, 2019 11:35 am

Draken21fx wrote:
Without trying to take sides the rules were clear for a few years now. As a matter of fact, because of that, some US companies/websites decided to pull out of the EU market.

I do agree with the ouch but it could have been up to 4% and it is not the UK govt's rule but rather an EU rule.

So another benefit of leaving the EU, and IAG maintaining a significant base in the UK.
 
Ziyulu
Posts: 618
Joined: Thu Oct 13, 2016 10:35 am

Re: BA to be fined £183M for last year's data breach

Mon Jul 08, 2019 11:43 am

KFLLCFII wrote:
TYCOON wrote:
KFLLCFII wrote:
Businesses don't pay taxes and fines...Their customers do...

I assume the airline will temporarily reduce or remove the discounted government fare structure to pass the government "fine" onto the government...Which effectively means that UK citizens will be paying the "fine".

Ahh, the joys (consequences) of "progressive" government policies/decisions.



So much with wrong with this line of reasoning... just don't know where to begin!


...Are they going to pull the "fine" out of the pockets of the C-suite?

zkojq wrote:
Will board members or CEOs lose bonus thanks to this?

"People's personal data is just that - personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience.

"That's why the law is clear - when you are entrusted with personal data, you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."


KFLLCFII wrote:
Businesses don't pay taxes and fines...Their customers do...

Ahh, the joys (consequences) of "progressive" government policies/decisions.

Yes, I hate holding companies accountable for their actions or lack of action.

You say that the customers pay the fine, but by the same standard customers will have enjoyed lower fares thanks to the carrier's under investment in IT during previous years.

You just proved my point: They'll pay for it now. (But most likely the average citizen won't see it...The discounted government fare structure will.)

By the way: Unless you're arresting/fining a business' C-suite or employees directly, the only parties to a business you're actually holding accountable are its customers.

Everything else is just "feel-good" government policy.


No, they will just get rid of their "afternoon tea" on flights. That will save money!
 
leghorn
Posts: 880
Joined: Sun Jan 22, 2017 9:13 am

Re: BA to be fined £183M for last year's data breach

Mon Jul 08, 2019 11:49 am

The hackers stole CVV numbers too. This is bad.
They didn't get burgled, they set up on a payments system where thieves could look over the shoulder of everyone entering their card and personal details.
This is the sort of stuff that GDPR legislation is intended to stamp out. It is good progressive law.

Details on the weaknesses of the BA payments page are mentioned here.

https://www.theregister.co.uk/2018/09/1 ... e_scripts/
 
leghorn
Posts: 880
Joined: Sun Jan 22, 2017 9:13 am

Re: BA to be fined £183M for last year's data breach

Mon Jul 08, 2019 11:52 am

smartplane wrote:
Draken21fx wrote:
Without trying to take sides the rules were clear for a few years now. As a matter of fact, because of that, some US companies/websites decided to pull out of the EU market.

I do agree with the ouch but it could have been up to 4% and it is not the UK govt's rule but rather an EU rule.

So another benefit of leaving the EU, and IAG maintaining a significant base in the UK.

IAG is a Spanish company.
Allowing Companies to be careless with the details of their Customers is and will never be a benefit of leaving the EU.
GDPR legislation applies to E.U. Citizens and any E.U. Citizens consuming the service of IAG will still be protected.
 
User avatar
FabDiva
Posts: 154
Joined: Wed Jul 06, 2016 6:42 pm

Re: BA to be fined £183M for last year's data breach

Mon Jul 08, 2019 11:56 am

Hopefully this will spur many more companies into spending more on their data security. I also bet Ticketmaster is relieved that their huge multi month breach was disclosed just before GDPR came in.
 
Indy
Posts: 4843
Joined: Thu Jan 20, 2005 1:37 pm

Re: BA to be fined £183M for last year's data breach

Mon Jul 08, 2019 12:00 pm

Pyrex wrote:
This is like fining a bank for being robbed at gunpoint - effectively robbing BA twice.

And let's be honest, if whatever government bureaucrat decreed this fine actually knew how to protect a network better than BA, who they accused of being incompetent, they would no longer be a government bureaucrat but doing something useful for society instead, like being a highly-paid cyber security consultant.


BA didn't get robbed. Their customers did. As an IT insider, I can tell you that a lot of this happens because of sloppy work. Business cut corners with the budget and don't allow developers the time and resources needed to properly secure assets. They outsource and make deadlines a priority over quality. Then there is the issue with bad workers in the field. Too many simply suck at what they do. They jump from bandwagon to bandwagon trying to pad their list of skills. They never get good at anything. The industry is all about hype, buzzwords, and the next bandwagon. Combine the corner cutting executives with the bandwagon jumping IT guys and you have the kind of environment that allows for data breaches to occur.

I'm betting that BA didn't get fined because someone managed to breach their impenetrable fortress. They were likely fined because someone cut corners, ignored warnings, and generally acted in an irresponsible way to save money. Putting the bottom line ahead of security is a great way to get fined.
Indy = Indianapolis and not Independence Air
 
Bhoy
Posts: 360
Joined: Tue Apr 18, 2006 1:50 pm

Re: BA to be fined £183M for last year's data breach

Mon Jul 08, 2019 12:16 pm

With a bit of luck, Alex Cruz will carry the can, and a consumer friendly CEO will come in. :duck:
 
Pyrex
Posts: 4631
Joined: Thu Aug 25, 2005 7:24 am

Re: BA to be fined £183M for last year's data breach

Mon Jul 08, 2019 12:30 pm

Indy wrote:
Pyrex wrote:
This is like fining a bank for being robbed at gunpoint - effectively robbing BA twice.

And let's be honest, if whatever government bureaucrat decreed this fine actually knew how to protect a network better than BA, who they accused of being incompetent, they would no longer be a government bureaucrat but doing something useful for society instead, like being a highly-paid cyber security consultant.


BA didn't get robbed. Their customers did. As an IT insider, I can tell you that a lot of this happens because of sloppy work. Business cut corners with the budget and don't allow developers the time and resources needed to properly secure assets. They outsource and make deadlines a priority over quality. Then there is the issue with bad workers in the field. Too many simply suck at what they do. They jump from bandwagon to bandwagon trying to pad their list of skills. They never get good at anything. The industry is all about hype, buzzwords, and the next bandwagon. Combine the corner cutting executives with the bandwagon jumping IT guys and you have the kind of environment that allows for data breaches to occur.

I'm betting that BA didn't get fined because someone managed to breach their impenetrable fortress. They were likely fined because someone cut corners, ignored warnings, and generally acted in an irresponsible way to save money. Putting the bottom line ahead of security is a great way to get fined.


So, if gunmen storm a bank, take it's employees hostage and steal all the safety deposit boxes, the bank should be fined to add insult to injury, correct? After all, it was the customers who were robbed...

This is a typical example of some incompetent government bureaucrats acting with the benefit of hindsight, nothing more, nothing less.
Read this very carefully, I shall write this only once!
 
leghorn
Posts: 880
Joined: Sun Jan 22, 2017 9:13 am

Re: BA to be fined £183M for last year's data breach

Mon Jul 08, 2019 12:48 pm

Pyrex wrote:
Indy wrote:
Pyrex wrote:
This is like fining a bank for being robbed at gunpoint - effectively robbing BA twice.

And let's be honest, if whatever government bureaucrat decreed this fine actually knew how to protect a network better than BA, who they accused of being incompetent, they would no longer be a government bureaucrat but doing something useful for society instead, like being a highly-paid cyber security consultant.


BA didn't get robbed. Their customers did. As an IT insider, I can tell you that a lot of this happens because of sloppy work. Business cut corners with the budget and don't allow developers the time and resources needed to properly secure assets. They outsource and make deadlines a priority over quality. Then there is the issue with bad workers in the field. Too many simply suck at what they do. They jump from bandwagon to bandwagon trying to pad their list of skills. They never get good at anything. The industry is all about hype, buzzwords, and the next bandwagon. Combine the corner cutting executives with the bandwagon jumping IT guys and you have the kind of environment that allows for data breaches to occur.

I'm betting that BA didn't get fined because someone managed to breach their impenetrable fortress. They were likely fined because someone cut corners, ignored warnings, and generally acted in an irresponsible way to save money. Putting the bottom line ahead of security is a great way to get fined.


So, if gunmen storm a bank, take it's employees hostage and steal all the safety deposit boxes, the bank should be fined to add insult to injury, correct? After all, it was the customers who were robbed...

This is a typical example of some incompetent government bureaucrats acting with the benefit of hindsight, nothing more, nothing less.

Can you please review the link I provided above and not post again until you understand the content contained there in. Flying a plane isn't easy but you expect competence of those entrusted to do so on behalf of those availing of the service. Managing a website which processes payment details of millions of Customers isn't easy but you expect competence of those entrusted to do it and keeping the payment session isolated from other activities is good practice which was not observed by IAG.
A simple "Mea Culpa" will not suffice.
 
bgm
Posts: 2134
Joined: Fri Sep 11, 2009 9:37 am

Re: BA to be fined £183M for last year's data breach

Mon Jul 08, 2019 12:51 pm

Pyrex wrote:
Indy wrote:
Pyrex wrote:
This is like fining a bank for being robbed at gunpoint - effectively robbing BA twice.

And let's be honest, if whatever government bureaucrat decreed this fine actually knew how to protect a network better than BA, who they accused of being incompetent, they would no longer be a government bureaucrat but doing something useful for society instead, like being a highly-paid cyber security consultant.


BA didn't get robbed. Their customers did. As an IT insider, I can tell you that a lot of this happens because of sloppy work. Business cut corners with the budget and don't allow developers the time and resources needed to properly secure assets. They outsource and make deadlines a priority over quality. Then there is the issue with bad workers in the field. Too many simply suck at what they do. They jump from bandwagon to bandwagon trying to pad their list of skills. They never get good at anything. The industry is all about hype, buzzwords, and the next bandwagon. Combine the corner cutting executives with the bandwagon jumping IT guys and you have the kind of environment that allows for data breaches to occur.

I'm betting that BA didn't get fined because someone managed to breach their impenetrable fortress. They were likely fined because someone cut corners, ignored warnings, and generally acted in an irresponsible way to save money. Putting the bottom line ahead of security is a great way to get fined.


So, if gunmen storm a bank, take it's employees hostage and steal all the safety deposit boxes, the bank should be fined to add insult to injury, correct? After all, it was the customers who were robbed...

This is a typical example of some incompetent government bureaucrats acting with the benefit of hindsight, nothing more, nothing less.


If the safety deposit boxes are not securely locked due to cost cutting measures by the bank, then it most definitely is the bank’s fault. Not sure if you’re able to see that through your rage.
████ ███ █ ███████ ██ █ █████ ██ ████ [redacted]
 
User avatar
readytotaxi
Posts: 6582
Joined: Mon Dec 11, 2006 2:09 am

Re: BA to be fined £183M for last year's data breach

Mon Jul 08, 2019 12:54 pm

On a side note, how many people here have their data on their PC's encrypted. After working in IT I have the following setup. My hard drive is encrypted and will not boot up without the password, incase the machine is lost or stolen. The files stored on the drive are also encrypted with a different password. All this is so very simple to use and secure. It really is a case of laziness or it won't happen to me attitude.
Last edited by readytotaxi on Mon Jul 08, 2019 12:56 pm, edited 1 time in total.
you don't get a second chance to make a first impression!
Growing older, but not up.
 
Virtual737
Posts: 608
Joined: Tue Jul 19, 2016 6:16 am

Re: BA to be fined £183M for last year's data breach

Mon Jul 08, 2019 12:54 pm

MIflyer12 wrote:
Virtual737 wrote:
If only that £183M would be spent trying to find / prosecute / exterminate those that committed the real crime.


BA's fine isn't supposed to fund law enforcement. The fines are supposed to be deterrents,to, you know, get companies to take data security seriously and implement appropriate measures.


I know this. However, having worked directly with law enforcement on cyber crime I know first hand that their budgets are pathetically low. So, routing the fine to law enforcement might, you know, kill 2 birds with 1 stone.
 
User avatar
enzo011
Posts: 1672
Joined: Tue Jun 21, 2011 8:12 am

Re: BA to be fined £183M for last year's data breach

Mon Jul 08, 2019 12:56 pm

Pyrex wrote:
Indy wrote:
Pyrex wrote:
This is like fining a bank for being robbed at gunpoint - effectively robbing BA twice.

And let's be honest, if whatever government bureaucrat decreed this fine actually knew how to protect a network better than BA, who they accused of being incompetent, they would no longer be a government bureaucrat but doing something useful for society instead, like being a highly-paid cyber security consultant.


BA didn't get robbed. Their customers did. As an IT insider, I can tell you that a lot of this happens because of sloppy work. Business cut corners with the budget and don't allow developers the time and resources needed to properly secure assets. They outsource and make deadlines a priority over quality. Then there is the issue with bad workers in the field. Too many simply suck at what they do. They jump from bandwagon to bandwagon trying to pad their list of skills. They never get good at anything. The industry is all about hype, buzzwords, and the next bandwagon. Combine the corner cutting executives with the bandwagon jumping IT guys and you have the kind of environment that allows for data breaches to occur.

I'm betting that BA didn't get fined because someone managed to breach their impenetrable fortress. They were likely fined because someone cut corners, ignored warnings, and generally acted in an irresponsible way to save money. Putting the bottom line ahead of security is a great way to get fined.


So, if gunmen storm a bank, take it's employees hostage and steal all the safety deposit boxes, the bank should be fined to add insult to injury, correct? After all, it was the customers who were robbed...

This is a typical example of some incompetent government bureaucrats acting with the benefit of hindsight, nothing more, nothing less.



How is this effectively BA losing money twice? Did they get their bank details stolen or was it their customers?
 
Dominion301
Posts: 2212
Joined: Wed Jul 20, 2016 1:48 pm

Re: BA to be fined £183M for last year's data breach

Mon Jul 08, 2019 1:05 pm

KFLLCFII wrote:
Businesses don't pay taxes and fines...Their customers do...

I assume the airline will temporarily reduce or remove the discounted government fare structure to pass the government "fine" onto the government...Which effectively means that UK citizens will be paying the "fine".

Ahh, the joys (consequences) of "progressive" government policies/decisions.


If you think that's what would happen, then clearly you have no clue as to how government (or even basic contracting) functions.
 
User avatar
Revelation
Posts: 21173
Joined: Wed Feb 09, 2005 9:37 pm

Re: BA to be fined £183M for last year's data breach

Mon Jul 08, 2019 1:53 pm

Indy wrote:
BA didn't get robbed. Their customers did. As an IT insider, I can tell you that a lot of this happens because of sloppy work. Business cut corners with the budget and don't allow developers the time and resources needed to properly secure assets. They outsource and make deadlines a priority over quality. Then there is the issue with bad workers in the field. Too many simply suck at what they do. They jump from bandwagon to bandwagon trying to pad their list of skills. They never get good at anything. The industry is all about hype, buzzwords, and the next bandwagon. Combine the corner cutting executives with the bandwagon jumping IT guys and you have the kind of environment that allows for data breaches to occur.

I'm betting that BA didn't get fined because someone managed to breach their impenetrable fortress. They were likely fined because someone cut corners, ignored warnings, and generally acted in an irresponsible way to save money. Putting the bottom line ahead of security is a great way to get fined.

I agree with all you wrote.

This law exists because it's clear businesses put their bottom line ahead of securing their customer's data.

Pyrex wrote:
So, if gunmen storm a bank, take it's employees hostage and steal all the safety deposit boxes, the bank should be fined to add insult to injury, correct? After all, it was the customers who were robbed...

This is a typical example of some incompetent government bureaucrats acting with the benefit of hindsight, nothing more, nothing less.

Nope, this is more like a bank vault having a trap door in the bottom where robbers can enter and exit unseen and the bank acting surprised when the money is gone.

Companies put up a facade of security and do nothing to provide actual security then act as if they did nothing wrong, because the penalty for doing a bad job has been so cheap it's easier to pay the fine than provide actual security.

This law has real teeth in it, the kind where the BoD is going to notice that their IT team is doing a terrible job and changes need to be made pronto.

davidjohnson6 wrote:
The shareholders will get punished in the main, and will demand that IAG strengthen their investment in IT security. The extra IT costs long term will be borne by customers, but it also means in future customers are less prone to credit card or ID fraud

I suspect as well that unless the CIO had been screaming to Alex Cruz about under investment in IT, he/she will now be looking for a new job

While IAG were made an example of, this will also motivate many companies in Europe to be more willing to invest in IT security
You won't hear about this change of mind, but CEOs will be more liberal with IT security spending in future, where previously companies decided it was not a priority. The cost of that additional security is significantly less than the potential value of the fine

Yep.

https://www.theregister.co.uk/2018/09/1 ... e_scripts/ says:

Security vendor RiskIQ has advanced the theory that malicious code was planted on the airline’s payments page, via a modified version of the Modernizr JavaScript library. To carry out the attack in this way, hackers would have had to modify JavaScript files without hobbling its core functionality.

The added code then uploaded data to a server hosted on baways.com, according to RiskIQ. “The infrastructure used in this attack was set up only with British Airways in mind and purposely targeted scripts that would blend in with normal payment processing to avoid detection,” the firm said in a blog post. “The domain was hosted on 89.47.162.248 which is located in Romania and is, in fact, part of a VPS provider named Time4VPS based in Lithuania. The actors also loaded the server with an SSL certificate.”

So no one at BA noticed the modified code, and no one noticed all the side transactions going to the fake baways.com site.

Actually someone at BA eventually did notice so the fine was reduced by more than half because by that time they did, half a million customer's data had been stolen.
Wake up to find out that you are the eyes of the world
The heart has its beaches, its homeland and thoughts of its own
Wake now, discover that you are the song that the morning brings
The heart has its seasons, its evenings and songs of its own
 
User avatar
zkojq
Posts: 3823
Joined: Fri Sep 02, 2011 12:42 am

Re: BA to be fined £183M for last year's data breach

Mon Jul 08, 2019 8:45 pm

Good post, Revelation.

KFLLCFII wrote:
You just proved my point: They'll pay for it now. (But most likely the average citizen won't see it...The discounted government fare structure will.)

Nope. Fares are based on what the market will bear. If BA could suddenly raise an extra £183,000,000 of revenue through raising their prices without losing any customers they would do that immediately, regardless of any fines.
First to fly the 787-9
 
gunnerman
Posts: 866
Joined: Fri May 19, 2017 7:55 pm

Re: BA to be fined £183M for last year's data breach

Mon Jul 08, 2019 8:56 pm

I do not see this problem as a matter of money, rather it's about how the payments pages were designed, coded and reviewed. Who did all of this isn't known as BA has outsourced so much IT over the years. What I will say is that in the days when I was a Java developer I'd never put so much functionality in Javascript as it's surely best to do a lot of this stuff on the server side which cannot be compromised.
 
ZaphodHarkonnen
Posts: 928
Joined: Sun Jan 04, 2015 10:20 am

Re: BA to be fined £183M for last year's data breach

Mon Jul 08, 2019 9:09 pm

Developer with 10+ years experience here.

This is totally reasonable. For decades companies view IT as just a cost centre that delivers no inherent value. While at the same time requiring functioning IT for their entire business to operate. Until now they have had no incentive to properly fund IT systems resilience and security. That is what GDPR is intended to do, incentivize businesses to resource their IT infrastructure properly. Think of this like all the regulations around aircraft maintenance and safety. Without such regulation we know that many airlines would skimp and cut corners, we have the evidence of such behavior.

Yes BA is in part being used as an example. But storing such private and valuable information in an insecure form was a form of professional gross negligence. It is like a bank storing it's cash in wooden draws in the lobby secured by cheap little padlocks. You can argue it's 'secure', but you wouldn't store your money in such a bank. So they've been slapped as an example and other large companies now know the same can happen to them.

And as a postscript. For those thinking that this is some sort of EU overreach? This is specifically UK legislation passed by the UK parliament according to the Standing Orders of the UK Houses of Parliament. That includes the UK parliament agreeing to work with the EU on such decisions. So quit your moaning.
 
User avatar
Revelation
Posts: 21173
Joined: Wed Feb 09, 2005 9:37 pm

Re: BA to be fined £183M for last year's data breach

Mon Jul 08, 2019 9:19 pm

gunnerman wrote:
Who did all of this isn't known as BA has outsourced so much IT over the years.

Yet BA didn't outsource the responsibility for protecting their customer's data.

This penalty should remind them of that.

It reminds me of a nerd joke: "The 'S' in 'IoT' is for security!". :biggrin:
Wake up to find out that you are the eyes of the world
The heart has its beaches, its homeland and thoughts of its own
Wake now, discover that you are the song that the morning brings
The heart has its seasons, its evenings and songs of its own
 
ZaphodHarkonnen
Posts: 928
Joined: Sun Jan 04, 2015 10:20 am

Re: BA to be fined £183M for last year's data breach

Mon Jul 08, 2019 10:03 pm

gunnerman wrote:
I do not see this problem as a matter of money, rather it's about how the payments pages were designed, coded and reviewed. Who did all of this isn't known as BA has outsourced so much IT over the years. What I will say is that in the days when I was a Java developer I'd never put so much functionality in Javascript as it's surely best to do a lot of this stuff on the server side which cannot be compromised.


Location of the code has absolutely no bearing on security. I could be a perfectly secure card storage service in javascript. Not that I would as I think there are simply better languages, but I could if required.

You'll likely find that on the server side BA had lax to no access control or auditing on the databases and systems that stored this data. And that the data was unencrypted at rest. When access to such a system should have been to the minimum number of people required, requests to pull data out should not only be authenticated but authorisation checked. And the data should only be decrypted the moment it's needed and the moment its need has passed the memory location with the data should have been instantly freed and overwritten.

Even that wouldn't be perfect. But nothing is. You can make it just not worth the effort to breach though.

Line of business apps that deal with private payment data like this is what I cut my developer teeth on. And now I write software that deals with private health information. You have to design security and safety into the architecture of the software to best protect it. It's hard, dirty, and unglamorus. But it's what you have to do to do things properly.
 
User avatar
FabDiva
Posts: 154
Joined: Wed Jul 06, 2016 6:42 pm

Re: BA to be fined £183M for last year's data breach

Tue Jul 09, 2019 7:04 pm

Marriot have just been hit with a £99 million fine for a breach. Companies are really going to have to take note of security now the fines are greater then the cost of securing.
https://www.bbc.co.uk/news/technology-48928163
 
User avatar
Kindanew
Posts: 163
Joined: Tue May 30, 2017 11:07 pm

Re: BA to be fined £183M for last year's data breach

Tue Jul 09, 2019 8:06 pm

I find it hard to believe that there are some who think this fine is the act of some kind of tyrannical government when in fact they should be criticising BA for having lax security.
 
Brickell305
Posts: 624
Joined: Sat Jun 24, 2017 2:07 pm

Re: BA to be fined £183M for last year's data breach

Tue Jul 09, 2019 9:35 pm

[twoid][/twoid]
Kindanew wrote:
I find it hard to believe that there are some who think this fine is the act of some kind of tyrannical government when in fact they should be criticising BA for having lax security.

Are you really surprised? The extent to which members of this board will perform mental gymnastics to defend their favorite airline has always ranged from laughable to downright ridiculous. This is nothing new.
 
User avatar
vhtje
Posts: 996
Joined: Sat Jan 10, 2009 12:40 pm

Re: BA to be fined £183M for last year's data breach

Wed Jul 10, 2019 1:51 pm

SelseyBill wrote:
Im sure BA; like all businesses; can always do more to improve their IT security; but this fine to me smacks of someone getting burgled, and then fining that homeowner because their home security isn't good enough.


No, and that is a gross oversimplification.

BA were fined because they were in breach of GDPR laws that are aimed a protecting consumers' privacy and data. BA (and any other organisation), in holding this data, have a legal responsibly to ensure that this data is kept in a way that is secure. There are strict and explicit rules about how this data is to be kept, and in what manner it may be used and accessed. BA were fined because they failed to follow these laws, not because they were hacked. The hacking incident exposed BA's lack of adherence to the laws.

BA's fine, at 1.5% of its annual turnover, is relatively light considering that the fine could have been up to 4% of their annual turnover.

There have been other breaches and fines imposed since the new GDPR rules came into place, BA being one of the few to be made public.
I only turn left when boarding aircraft. Well, mostly. All right, sometimes. OH OKAY - rarely.

Popular Searches On Airliners.net

Top Photos of Last:   24 Hours  •  48 Hours  •  7 Days  •  30 Days  •  180 Days  •  365 Days  •  All Time

Military Aircraft Every type from fighters to helicopters from air forces around the globe

Classic Airliners Props and jets from the good old days

Flight Decks Views from inside the cockpit

Aircraft Cabins Passenger cabin shots showing seat arrangements as well as cargo aircraft interior

Cargo Aircraft Pictures of great freighter aircraft

Government Aircraft Aircraft flying government officials

Helicopters Our large helicopter section. Both military and civil versions

Blimps / Airships Everything from the Goodyear blimp to the Zeppelin

Night Photos Beautiful shots taken while the sun is below the horizon

Accidents Accident, incident and crash related photos

Air to Air Photos taken by airborne photographers of airborne aircraft

Special Paint Schemes Aircraft painted in beautiful and original liveries

Airport Overviews Airport overviews from the air or ground

Tails and Winglets Tail and Winglet closeups with beautiful airline logos