The British Airways hack in September 2018 has now been revealed to have affected 500,000 payment cards in a huge breach of personal data, and it could cost the company a record £183 million in fines. What lessons can we learn from this high profile cyber-attack?
On the morning of Thursday 6th September 2018, British Airways published a tweet stating that they were investigating the theft of customer data. Between 10:58pm on Tuesday 21st August and 9:45pm on Wednesday 5th September, cybercriminals stole the personal and financial details – including an estimated 380,000 payment cards – of customers booking flights through the British Airways website and mobile app.
The British Airways hack is one of the most serious data thefts to affect a UK company in recent years. It has now been reported that the details of around 500,000 customers were stolen, and the ICO has announced its intention to issue a £183 million fine to British Airways, 1.5% of the company’s global turnover. Although not the maximum possible fine (under GDPR legislation companies can be charged up to 4% of their turnover) this could be the biggest penalty the ICO has ever handed out and the first to be made public under new GDPR rules.
Over and above this potential hefty fine, the wider financial, operational and reputational damage suffered by British Airways are likely to be significant. What lessons can we learn from the British Airways hack, and how can you avoid a similar attack damaging your organisation?
British Airways Hack: What Lessons Can We Learn?
British Airways is a large, multi-national airline with a significant profile throughout the world. Its website deals with a huge number of transactions each day, making it a prime target for cybercriminals. But despite its scale and visibility, the lessons we can learn from the British Airways hack apply to all organisations, regardless of scale or industry vertical.
Lesson One: Prevention is Better than Cure
Today’s cyber-attacks are sophisticated, carefully planned, ruthlessly executed, and – as the British Airways hack proves – often highly successful. Traditional security measures such as endpoint antivirus, email security and perimeter firewalls are no longer enough to protect your organisation.
True cyber resilience requires a combination of people, processes and systems. If you want to minimise the risks your business faces, you need to make prioritised, actionable cybersecurity decisions that adapt to both changing technology and the evolving threat landscape.
Lesson Two: Attack Vectors are Changing
Although we don’t know the specific weaknesses that cybercriminals exploited in order to execute the British Airways hack, we do know that transactions carried out on the mobile app were compromised. As organisations introduce new ways to interact with people, the attack vectors available to cybercriminals evolve.
Whether it’s a mobile app that can process orders and payments, an Amazon Echo that allows you to order groceries using your voice, or a smart watch that tracks your location and health indicators, the data that is processed by the Internet of Things needs to be secured in a robust and appropriate manner.
Lesson Three: Develop a Cybersecurity Playbook
Cyber-attacks are a threat to all organisations. If you develop a cybersecurity playbook, you’ll be in a significantly stronger position to minimise the financial, operational and reputational damage that a successful cyber-attack can cause.
As British Airways has found, communication is key. The media have reported frustrated customers who were sent a blank email by British Airways, or who found out that their data had been breached on the news before British Airways had reached out to them. A cybersecurity playbook provides all members of your organisation with a clear understanding of their cybersecurity roles and responsibilities before, during and after a security incident.
Evolve to Protect Your Organisation from Cyber-Attack
Your organisation needs to evolve its cybersecurity posture in order to mitigate the risk of suffering a damaging cyber-attack. At Six Degrees, we have developed a family of managed service offerings that cover the full scope of today’s technology requirements, all with a process and change management wrap that allows you to focus on your organisation’s key deliverables.
Our acquisition of cybersecurity services and consultancy CNS Group allows us to deliver converged security and managed services; a unique proposition that gives your organisation and your customers reassurance that your IT systems remain secure, agile and effective in driving digital transformation.
CNS Group offers Aegis – a cybersecurity maturity benchmarking tool that employs a pragmatic, risk-based approach to help your organisation make better decisions around protecting your data. Aegis forms the basis of your cybersecurity action plan. Upon completion of an initial audit, CNS Group will implement a schedule of penetration tests that will identify and enable you to remediate any vulnerabilities. These continuous penetration tests are complemented by 24x7x365 monitoring, managed from a dedicated security operations centre that delivers rapid incident response.
If you are looking to benchmark your organisation’s cybersecurity preparedness, join our webinar on 17th July and discover your Cyber Security Maturity Score with our web-based scorecard developed using decades of cybersecurity expertise. If you are seeking support in adapting to the evolving threat landscape, our experts will also share some best practice approaches to help you mitigate the risk of a cybersecurity breach.