The Information Commissioner’s Office (ICO) has informed British Airways they are facing a record fine of £183.39 million, this is the biggest fine ever issued by the ICO.
Between June and September 2018, the airline suffered a massive cyber-attack leading to the personal and financial information of over 500,000 customers being stolen. The sensitive information, which included people’s passport numbers, names and addresses and credit card details, was stolen from the airline’s website and mobile app.
The ICO launched an extensive investigation and found that a variety of information was compromised, and the airline was to blame as they had poor security arrangements in place and failed to protect customers data. The data breach involved user traffic to the British Airways site being diverted to a fraudulent site, hackers then harvested customer details.
Information Commissioner Elizabeth Denham said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
The ICO acted as lead investigator but liaised with several other European Union regulators. It said BA cooperated with its investigation and had now made security improvements to its site.
BA and the other regulators now have 28 days to make representations to reduce the fine. In response, the airline said it was disappointed in the fine because it cooperated fully and had found no evidence that the stolen cards were used. It said it would make representations and appeal the decision.
What happens to your data after a hacker steals it?
The majority of cyber-attacks are for the purpose of making money. A highly trained cyber-criminal will take your personal information and sell it on the dark web. Once an attack has happened and the hacker has your data, the following process begins:
- Hackers will go through the stolen data files and fish out personal information like names, addresses and phone numbers, and financial information like credit card details.
- The Hacker then packages up the information like names, addresses, phone numbers, and email addresses to sell them. This is typically done in bulk, a full set of someone’s personal information can, including address, birthdate, and credit card info can net the fraudster hundreds of pounds.
- Hackers then look for potentially more lucrative accounts. Government and military addresses are very valuable as well as company email addresses and passwords.
- Credit card numbers are sold in bulk and purchased by a Broker who then sells it on to a Carder. They use them to buy gift cards to large stores like Amazon, the cards are then used to buy physical items like electrical goods that are then sold legitimately on sites such as eBay.
- After several months the data is less valuable but the hacker can still sell it in bulk at a discounted price.