IT Security Costs Money, no IT Security Costs More Money
British Airways, or rather its customers, are the latest victims of a major hack that compromised sensitive personal data. Details of 380,000 credit cards are claimed to have been stolen in the data breach. This allegedly includes not only the credit card numbers but also the security numbers (CVV). This event is no exception to the phenomenon that hardly any attention is given to cybersecurity in the mainstream media. Several technical websites have reported the incident online but apart from this details are scarce. After all it's just a data theft – happens all the time. And why should customers get upset? If stolen credit card numbers are used, the bank will reimburse the damage. It's cheaper and doesn't upset the customers.
In the past, the managers at BA would probably have wiped the sweat off their foreheads, too, and would have gone quietly and carefully back to business as usual, so that the whole thing is quickly forgotten. But now there is the GDPR and some industry observers already believe that the incident could become the first example of the new power of data protection. BA has already informed the supervisory authorities of the breach correctly, so far so good. But the fact remains that all criteria regarding the violation of data protection are met. This potentially means a hefty fine, depending on how far BA can be accused of negligence.
After all, the data breach was detected reasonably quickly. Nevertheless, the attackers had access to customer data between August 21 and September 5. Anyone who wanted to buy flights or other services from BA was affected during this time. The number of 380,000 records makes the hack one of the largest data breaches in the UK. The dispute with the supervisory authorities is likely to be particularly interesting due to a recently leaked internal memo. It notes the increasing relevance of attacks and is critical of outsourcing cybersecurity. There are usually two reasons for outsourcing: A) Internal teams cannot provide an adequate security level, or, in other words, there is a lack of expertise and the will of the management to take security (also in terms of resources) seriously or B) The company wishes to cut costs immediately.
Neither reason is likely to be popular with the data protection authority. Security may be expensive but meanwhile essential for companies who have highly visible and accessible online services that need to protect their customers personal and payment details. Cost cutting exercises which may cause a data breach only a few weeks later are not effective. Another aspect is currently only being discussed behind closed doors: Did hackers cause any further damage which hasn’t been reported? Are there any other attacks in progress that just haven't been discovered yet? Until now it has been only confirmed that a website and the servers for a mobile app were affected. But the forensic work is certainly not over yet and BA managers are likely waiting for the results of the analyses with bated breath.
After one of the biggest hacks in the UK, this might be a case of the calm before the storm prevailing. All over Europe, CISOs are looking to British Airways and regulators to see what will happen. One thing is certain: It won’t be business as usual.