A few days after British Airways suffered the worst cyberattack in its history, the airline still hasn’t revealed any technical details about the breach – beyond the official apology – to the over 380,000 users whose data was compromised after making purchases on BA’s website. As well as the ensuing official notification to the appropriate authorities and all the affected clients
Names, email addresses, and credit card details – including numbers, expiry dates and CVV security codes – have been stolen. A few hints that have allowed cybersecurity experts, such as Professor Alan Woodward, to get an idea of how the hackers were able to sneak onto BA’s website and app between August 21 and September 5. This was an attack similar to the one recently suffered by Ticketmaster, after a customer service chatbot was labeled as the potential cause of an infraction that affected over 40,000 users in the UK. In fact, in the last few hours, information has emerged that suggests that the perpetrators of this attack may also be behind the British Airways hack.
Money has wings…
Until a few months ago, companies would shrug their shoulders when faced with attacks of this type. The greatest concern during previous cyberattacks was the potential damage to reputations. But now, with the new General Data Protection Regulation and the fines that infringing it can lead to, there is a new threat for the coffers of companies that fall victim to security breaches like this, affecting both clients’ and investors’ pockets. And BA’s case has been no exception.
The most immediate consequence? Shares in IAG, the parent company of British Airways, fell around 3% on the Ibex and on the FTSE after the attack and its scope were revealed. This meant a 456 million Euro drop in in its market value on Friday, after it emerged that hackers had stolen the payment details of 380,000 clients.
British Airways’ chairman and CEO, Álex Cruz, hasn’t explained how the data was stolen, though he has denied that the attackers had managed to breach the company’s encryption. “There were other methods, very sophisticated methods, that criminals used to obtain that data,” he said in an interview with the BBC
However, Professor Woodward, in his statements, said, “You can put the strongest lock you like on the front door, but if the builders have left a ladder up to a window, where do you think the burglars will go?” The controversy is here.
How to avoid the fines
While it can’t be 100% categorically stated that it was a script attack that compromised British Airways’ security services, it does seem to be the most likely cause. However, other theories even talk about an expert within the company manipulating the website with malicious intent. The fact is that the airline is going through a rough patch as far as its IT system is concerned.
This incident has been a lesson, and has also underlined the need to invest in cybersecurity in order to demonstrate that enough is being done to safeguard sensitive data. Because the only way to avoid paying economic sanctions is to keep these security breaches from happening.
It has recently been shown that the difficulty experienced by large companies when it comes to locating the unstructured data in their systems could be a question of volume. In fact, 65% of companies collect so much data that they’re unable to categorize or analyze it. If we take into account the nature of British Airways, the largest European airline, we can get an idea of the sheer amount of personal data managed by their systems.
These days, there are advanced cybersecurity solutions specifically designed to provide support for the whole IT team, with the aim of avoiding situations like the one that BA has gone though. One such solution is Panda Data Control.
What will happen with those clients who decide to request to have their data permanently deleted from one of these platforms? In this case, the companies must have a highly detailed inventory of where all their data is, a perfect chart of this information, and almost notarial control in order to be able to prove the complete deletion of the data from all systems. All of this is offered by Panda Data Control, to ensure that users can exercise their right to be forgotten with total transparency and be able to certify it.
This data protection solution, which is integrated into Panda Adaptive Defense, allows you to discover, audit and monitor unstructured personal and sensitive data on your company’s endpoints: from data at rest, to data in use and data in motion.
It identifies the files that contain personal data (PII) and records any kind of access to it, alerting in almost real time about leaks, use, and suspicious or unauthorized traffic.
Total visibility of files, users, devices and servers that access this information, so you can supervise any action carried out on the personal information that you store.
Because the most important thing when it comes to mitigating the risks related to data is to be extremely careful with how personal information is dealt with, and it is vital to know where data is stored and to know who has access to it.