British Airways could have avoided its £183 million GDPR fine. Here’s how


British Airways has been ordered to pay a record £183.4 million fine ($230 million) after a data breach compromised the personal details of more than half a million of their customers.

Starting as far back as June 2018, customers were targets of a phishing scam that diverted them from the official BA website to a replicated website aimed to steal credentials. These included login details, travel information and payment card data. No doubt the penalties for British Airways are also more severe because the company failed to disclose the incident until September 2018, four months after the attacks began.

"People's personal data is just that — personal. When an organization fails to protect it from loss, damage or theft it is more than an inconvenience," Information Commissioner Elizabeth Denham announced in her statement on the proposed fine. "That's why the law is clear — when you are entrusted with personal data you must look after it.”

What has happened to British Airways is every company’s worst nightmare. All customer-facing businesses live in fear of a data breach, where their user’s sensitive information is stolen for malicious intent. The GDPR regulations have simply added a layer to the serious financial consequences of this kind of cyber-attack.

As well as brand damage and direct loss of earnings, organizations who hold data on customers within the EU can now be fined up to 4% of their annual revenue for failing to protect customer data. But what does protecting your customers' data really mean?

What more should companies be expected to do?

The mistakes made by British Airways are not unique. In fact, nearly all businesses are unprepared for a phishing scam that could put customer data in jeopardy.

This is the statement from BA’s CEO Alex Cruz on the proposed fine. "We are surprised and disappointed in this initial finding, [as] British Airways responded quickly to a criminal act to steal customers' data.”  This points to how a change in mindset is needed if companies want to stay safe from these kinds of attacks and thereby avoid GDPR penalties. Rather than wait and “respond” to a threat, brands need to be ahead of the game.

    1.  Proactive Scanning of the Entire Web: Traditional security tools can only gain visibility into a business’s own data centers and networks. In the middle of a phishing scam, the whole internet becomes one huge blind spot where attackers can hide. Protecting your internal data center is not enough when customers can be tricked into disclosing sensitive information anywhere. Brands need wider visibility into the whole web.
    2.  Be Alerted Ahead of Time: However quickly a company acts once a phishing scam is taking place, you’re always going to be two steps behind the attackers, while damage is already being done. Businesses need to make a move to preventative security. This includes alerts to content scraping or manipulation - before your customers are the ones making the call.
    3.  Immediate Block and Take Down: From the earliest stages of preparation, your security solution should be able to identify and stop a phishing scam. This means that you’re never left on the back foot, scrambling to fix a problem that has already become a live threat.
    4.  Deceive the Attackers with False Data: Sophisticated deception technology can aid a company in going the extra mile to prove they’ve done everything they can to protect their customers’ personal data. This includes fighting back against the attackers with dynamic deception techniques, sending millions of fake records that dilute the data and make it unusable.

Altogether, this checklist mitigates a phishing scam, like the one that BA customers fell victim to, at the earliest possible stages. Long before the phishing website has gone live and can access any customer information, you need to find the threat and take it down, ensuring you aren’t penalized for the loss of data, or the failure to disclose.

Learning from the British Airways phishing scam

It’s clear that GDPR regulators are looking to make examples out of businesses that fail to adequately secure customer data. The announcement of this record-breaking fine, directly related to a dangerous customer phishing scam, should be taken as a serious wake-up call.

British Airways have the opportunity to appeal the commission’s decision, and only time will tell how this will affect their brand as a whole. However, it’s left many people wondering why the company failed to protect its customers better to begin with.