BA data breach fine
The UK data protection regulator has fined British Airways £20 million for a series of security failures that led to the theft of more than 400,000 customers' personal details. The Information Commissioner's penalty notice provides a case study in how to ensure the success of a cyber attack, and also in outlandish excuses such as, payment card breaches are “entirely commonplace” and an “unavoidable fact of life.” Much (possibly too much) of the ICO's notice is redacted, but what remains makes it clear that BA broke basic Information Security rules including storing the login credentials for a domain administrator account in plaintext and failing to review software code effectively. The ICO lists a number of basic measures that would have prevented the attack, including limiting access to applications, rigorous cybersecurity testing, and protecting accounts with multi-factor authentication. This is the second and by far the biggest fine levied by the ICO under the GDPR, but it's far lower than the £183.39 million originally proposed. The ICO ascribes this to BA's "representations" and "the economic impact of COVID-19". The notice runs to 114 pages and it's well worth a detailed read.