British Airways has been fined £20m ($26m) under the GDPR by the Information Commissioner's Office (ICO) for a data breach which affected more than 400,000 customers.
So, what does that have to do with you and your business? I can think of two universal forces at work here.
Why they were fined and
How hackers got in.
Let’s take these one at a time.
BA were not found to be malicious or even to have known that they were out of compliance. Why were BA fined?
According to the ICO, the post-breach investigation concluded that BA lacked “sufficient security measures” at the time. As I had emphasized in an earlier post, Three words that will make or break your compliance programs, regulators deliberately saturate their regulations with “meaningfully ambiguous” terms like reasonable, effective, and appropriate, to give slower moving statutes (like the GDPR) much needed “elasticity” to keep pace with faster moving technological, political, and societal change.
So what about BA’s security was found to be “insufficient?” Apparently, BA failed to take advantage of a number of security measures that were inside the version of MS Windows that BA was using at the time.
"The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security," said Information Commissioner Elizabeth Denham.
Failing to use available security measures can be characterized as “inappropriate” and, as such, can qualify as a punishable offense (to the tune of over $25M in the case of BA).
Flipping this into an action rather than an act of omission, when suppliers offer upgraded/enhanced security controls, organizations would be well-advised to promptly evaluate their suitability and DOCUMENT their conclusions and any next steps.
How did hackers get a hold of 400K consumer credit card records? While the complete story has not been made public (at least as far as I have seen), a BBC News article, British Airways breach: How did hackers get in, builds a pretty good case that BA’s supply chain was compromised at the point of sale. Further, it would seem that the hackers likely exploited a third-party vulnerability.
Do not expect that your organization’s liability will, in any way, be limited due to the fact that a breach may stem from a third-party exploit – regardless of what your software or service license agreements may say to the contrary.
Flipping this to an action rather than an unmanaged risk, include your own security and governance measures into your third-party agreements and DOCUMENT that your suppliers (and their suppliers) are operating under controls equivalent to your own.
What does BA’s £20m GDPR fine have to do with you?
It serves as an unambiguous precedent affirming that:
Failure to track and respond to BOTH emerging threats AND emerging compensating controls can be treated as a material punishable offense.
Extending internal risk management policies onto vendors after procurement can be an effective means to mitigate supply chain risk above and beyond liability clauses and service level agreements.