As many of our readers will know, British Airways (BA) suffered a data breach affecting at least 380,000 customers as reported by Sky News and other channels.
The first impact on the company is sobering. Over GBP 500m has been wiped off the group’s market value, although the share price did rally later.
A statement was issued by the Information Commissioner’s Office (ICO) saying that “British Airways has made us aware of an incident and we are making enquiries.”
If the ICO takes enforcement action under the new data protection act, which implements the EU General Data Protection Regulation (GDPR) in the UK law, the potential penalty is 4 percent of the global turnover. Based on British Airways’ total revenue in the year that ended December 31, 2017, was GBP 12.2bn. It would then translate into a fine of around GBP 500m.
So, with an initial hit on the share price of 500m, and a potential fine of another 500m, suddenly the investment case for cybersecurity does not look as far-fetched after all.
This case also shows that the bad actors are getting more sophisticated. The cybersecurity professionals must pay attention throughout the whole data lifecycle and not just at key points such as network entry (firewalls) or data storage (access control, encryption). Since this data breach included the CVV codes from the cards, it is quite significant in terms of impact. The CVV (Card Verification Value) is only ever supposed to be used to authenticate a transaction and must never be stored by a merchant or payment processor. The BA group is insisting that it did not store the CVV. This implies that the transactions were intercepted in flight (pardon the pun!). So, researchers and security professionals will be looking closely as details emerge of how exactly the attack took place.