It's certainly got the airways of many British gulping
Generally Disclosing Pretty Rapidly: GDPR strapped a jet engine on hacked British Airways
If Equifax's mother-of-all-security-disasters last year underlined one thing, it was that big companies think they can weather just about anything cybercriminals – and regulators – can throw at them. One unpatched web server, 147 million mostly US customer records swiped, and a political beating that should pulverise a company …
COMMENTS
-
-
-
Wednesday 12th September 2018 10:47 GMT Gordon 10
Re: re. Reporting a breach shows awareness
Eh? That makes no sense. Worldwide Turnover was specifically chosen for GDPR because its easy to calculate and difficult to hide.
There may be a couple of arguments about which GAAP standards its calculated under but I cant see it being particularly easy to "hide" turnover. Especially since that may attract the ire of both the Tax Authorities and the Stock Exchange.
-
Wednesday 12th September 2018 11:25 GMT Arctic fox
Re: re. Reporting a breach shows awareness
It has always been a wonder to me that companies can get away with not reporting. If, for example, your local branch of your bank got visited by a couple of gentleman equiped with stocking masks and shotguns and they failed to report the matter to the police then the bank could be punished for failing to report knowledge of the commission of a criminal offence. Companies that conceal attacks on their IT-systems should be prosecuted for failing to report said offence. The senior managers responsible should end up in court.
-
-
Friday 14th September 2018 10:43 GMT macjules
Re: re. Reporting a breach shows awareness
Read https://www.riskiq.com/blog/labs/magecart-british-airways-breach, especially the bit about how they detected it was in the modernizr.js library.
Now visit www.ba.com and follow these steps:
In your web browser right click and choose Inspect Element (IE and Safari you have to enable this)
Click Network and then JS and refresh the page.
Scroll down until you can see modernizr.js and click on it.
Notice the date for last-modified: Thu, 23 Aug 2018 12:57:01 GMT
Implies that BA were aware of this on 23rd August and are now not telling the truth.
-
Wednesday 12th September 2018 15:18 GMT phuzz
Re: re. Reporting a breach shows awareness
It has always been a wonder to me that companies can get away with not reporting
Surely this is something that could be covered by the insurance companies. In much the same way that you or I would need to provide a crime number if we claimed our mobile had been nicked, corporate insurers should insist on a full breach disclosure and police involvement before they pay up.
-
Wednesday 12th September 2018 22:56 GMT Anonymous Coward
Re: re. Reporting a breach shows awareness
Are you legally obliged to report criminal offences? I witnessed several people travelling in excess of the speed limit on my drive home from work today. One was even using their mobile phone at the time! Am I now a criminal for not reporting them to the authorities? (Posted anon, just in case)
-
-
-
-
Wednesday 12th September 2018 08:25 GMT Chris G
Going by a lot of British websites I have visited, I think a lot of British companies are hoping that after brexit the GDPR regs are going to go away. Many of them are trying to make it as difficult as possible to opt out of 'Data sharing' with them but I think they are going to be disappointed, the UK can't really afford to ignore it, as so much of it's future business is still going to depend on complying with Europe.
-
-
-
Thursday 13th September 2018 22:29 GMT John Brown (no body)
"@AC, nationality is not relevant to GDPR, it's residency. When UK is no longer part of EU, EU nationals will not be covered by GDPR while they reside in the UK, but UK citizens will still be protected when they visit EU countries."
You've got that arse about face. The whole point of GDPR (and the UK version enacted in UK law) is that it applies to residents of the EU while in the EU (and UK, even after Brexit) and citizens data wherever it is, ie you can't collect and export the data to somewhere where it won't we protected, hence the kerfuffle over the US data protection figleaf.
-
Friday 14th September 2018 13:51 GMT Anonymous Coward
You've got that arse about face. The original comment was spot on. I'll correct yours.
Data legally collected within the EU borders, about EU citizens cannot be exported out of those borders without consent.
Data collected outside the EU borders, about EU citizens, well pretty much anything goes, EU laws have no jurisdiction outside of EU borders.
If after brexit the current Data Protection Act remains in place, then anyone breaking it will be breaking UK law, they will not be breaking EU law. If post brexit the EU inspired parts of the Data Protection Act are repealed, then no law is being broken, because UK subjects will not be subject to EU laws.
Please don't confuse UK and EU laws with US laws. The Americans would like to think that US law is universal, and whilst it mostly isn't, they are a big enough bully in the playground that other nations simply let them get away with acting like it is.
-
-
-
-
-
Wednesday 12th September 2018 20:06 GMT Aqua Marina
“Given that we've already enacted GDPR into British law in the form of the Data Protection Act 2018, they're in for a shock.”
You’re forgetting that once we’re brexited, then a single Act of Parliament can repeal any EU legislation previously enacted using wording as simple as “Act of Parliament xxxxxxxx is now repealed this date of xxx of yyy year zzzz.”
As a sovereign nation any legislation or agreement we’ve entered into with other nations can simply be repealed by our democratically elected parliament.
-
Wednesday 12th September 2018 22:20 GMT Anonymous Coward
>You’re forgetting that once we’re brexited, then a single Act of Parliament can repeal any EU legislation previously enacted using wording as simple as “Act of Parliament xxxxxxxx is now repealed this date of xxx of yyy year zzzz.”
Wasn't all the fuss about the Henry VIIIth powers so that the relevant Minister could just repeal law as they saw fit. So Sajid Javid could repeal GDPR one Friday, just for fun if he so wished.
-
Thursday 13th September 2018 12:07 GMT Aqua Marina
Repealing stuff
The same goes for Brexit. There seems to be a myth that because the UK voted to brexit, we have to go ahead with it end of discussion. Even if the referendum was legally binding (which it wasn't, but that's another story) it can be overturned simply by holding another referendum. A democracy can overturn any previous decision, simply by following the democratic process. Some of the people I hear on the news that state "the people have spoken, the government must carry their wishes out" are forgetting that in a democracy, the people can change their minds, otherwise we would have political parties that once in power, couldn't be voted out.
If another referendum was held now (lets just say it's a legally binding one to keep it simple) and the result of that referendum was to remain, then the previous decision to leave has no legal standing.
I think our government may just decide to hold another referendum if things are looking messy so business can carry on as normal. Better the devil you know than the one you don't.
-
-
-
-
-
Wednesday 12th September 2018 08:30 GMT Flywheel
Is the ICO up to it though?
I get the feeling that despite the increasingly heavy responsibility being heaped on them, they won;t actually have the time or resource to actually deal with GDPR issues, breaches and the usual stuff they do. Oh, and the p0rn checking later.. Will government realise this and actually spend some sensible cash, or will it limp along and fail?
-
Wednesday 12th September 2018 09:32 GMT Anonymous Coward
Re: Is the ICO up to it though?
Schrems doesn't think regulators will be enough and he's a world class expert. The UK govt is already kicking biz regulators to the sidelines. Big Corps like Google / Facebook will also appeal appeal appeal for years. The only hope is that private lawyers like Schrems / NOYB can move faster and / or EU regulators can come together as one as they're supposed to and squeeze ICO:
-
"Max Schrems / NOYB: "Tech companies will likely do the maths on GDPR sanctions to see which problematic features are so profitable that they can afford to keep them running - or at least eat a one-time fine as an experiment in testing the EU"
-
https://www.rte.ie/news/business/technology/2018/0816/985601-google-location-gdpr/
-
"Britain’s White-Collar Cops Are Getting Too Good at Their Job - Brexit talks aren’t going well, and PM Theresa May is desperate to maintain the U.K.’s attractiveness to international capital after it finally leaves the European Union. The sudden emergence of an aggressive anticorruption agency is unhelpful to her pitch":
-
https://www.bloomberg.com/news/features/2018-03-01/britain-s-white-collar-cops-are-getting-too-good-at-their-job
-
Wednesday 12th September 2018 09:58 GMT Anonymous Coward
Re: Is the ICO up to it though?
The key question is, how independent is the ICO? If its the Govt's Regulator then expect endless conflicts of interest from 3-letter spying agencies to UK-firms etc. Government is hugely conflicted about dragnet surveillance as it gives them draconian control and crackdown abilities. Its likely UK Govt Inc will push hard for the reality below following Brexit, playing the illegal immigration card to justify it.... Ireland with its new ID card is heading the same way along with Germany too scarily:
https://en.wikipedia.org/wiki/Social_Credit_System
https://www.brookings.edu/blog/techtank/2018/06/18/chinas-social-credit-system-spreads-to-more-daily-transactions/
https://www.cnet.com/news/black-mirror-too-real-in-china-as-schools-shun-parents-with-bad-social-credit/
https://www.theguardian.com/world/commentisfree/2018/jul/12/algorithm-privacy-data-surveillance
https://www.bbc.co.uk/news/technology-43428266
https://neweconomics.org/2018/07/whats-your-score
https://global.handelsblatt.com/politics/germany-mass-surveillance-social-credit-china-big-data-886786
-
-
Wednesday 12th September 2018 08:52 GMT Andy The Hat
Less Daily Mail please ...
Not commenting on the breach, just the reporting style. Even I, an old thicko, can work out that
"detected its breach on July 29 last year, but only told the world months later on September 7"
is a bit heavy on the bias.
In my dictionary "months" would be multiples of "month". Two "month" would be a good start for "months", three would be ideal. Just because it says "July" and "September" in the timeline does not make it three months - it's still only a few days more than one. Actually "weeks" would be good ...
Perhaps if there is a breach on New Year's Eve and it is declared on New Year's Day, the report will suggest the declaration being made "years later"?
-
Wednesday 12th September 2018 12:26 GMT awavey
Re: Less Daily Mail please ...
The Equifax breach was discovered in July 2017,it had been leaking details since May 2017 (at least),so it took 'months' to notice it was happening and a further month to bother telling anyone.A year later and we still haven't quite got the full detail released. It's not unreasonable or Daily Mail style to describe Equifaxs approach to reporting the breach as taking 'months'.
-
Wednesday 12th September 2018 09:02 GMT Lordbrummie
Companies about to take security seriously?
It's about time there was a law with actual teeth that makes these big companies sit up and actually take the security of our personal data seriously. GDPR does just that, no longer can a company just say "we'll risk it" when asked to spend money on network/data/physical security, the risk is now upto 4% of global revenue (including the parent company). On the flip side the security companies must think it's Christmas come early. If BA is found to be liable I hope they get a fine in the £100's of millions, I'm a firm believer in the "shoot one, scare many" approach, it's a big "if" but hopefully we'll get a detailed explanation of how they were compromised.
-
Wednesday 12th September 2018 09:13 GMT Joe Harrison
Re: Companies about to take security seriously?
Unlikely that fines approaching anywhere near 4% of global; turnover will ever happen in our lifetime. Even before GDPR the ICO has always been able to fine up to half a million pounds. Their record of actually collecting it (not necessarily their fault) is very poor.
-
Wednesday 12th September 2018 09:29 GMT Doctor Syntax
Re: Companies about to take security seriously?
@Joe Harrison
Any judicial or quasi-judicial body with the power to levy fines does so on a graduated basis. If they go for a maximum fine in minor cases how are they going to differentiate the more egregious cases? Or, as the saying puts it, might as well be hung for a sheep as a lamb.
-
Wednesday 12th September 2018 09:40 GMT JerseyDaveC
Re: Companies about to take security seriously?
The concept of a "discount" for reporting promptly is an interesting one. Failure to report on time would be an administrative breach, inviting a fine of 2% of turnover or EUR10m. The data loss itself is a data breach, with a potentially higher penalty of 4% of turnover or EUR20m. Had BA taken too long to report, the ICO would consider a fine for the failure to report (an administrative breach, with a max of 2% of turnover or £10m) AND a fine for the breach (a data breach, with a max of 4%/EUR20m). They wouldn't be added together, though: item 3 of Article 83 states: "... the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement".
Which is interesting, because unless the administrative fine was greater than the data breach fine, it'd effectively be disregarded anyway.
-
Wednesday 12th September 2018 09:42 GMT JerseyDaveC
Re: Companies about to take security seriously?
Agreed.
A fiver says that they have some internal guidance that has been extensively considered with regard to the variables upon which a fine is based. You can't just slap a maximum fine on someone to make an example of them: if another company is less naughty and gets fined less, an appeal will instantly be forthcoming from the company that got the monetary kicking.
Fines must be proportionate and dissuasive: enough to make it worth taking steps to protect yourself, but not idiotically big.
-
-
-
Wednesday 12th September 2018 09:24 GMT Doctor Syntax
Re: Companies about to take security seriously?
"If BA is found to be liable I hope they get a fine in the £100's of millions"
Their quick disclosure takes them out of the top tier of fines.
A more desirable outcome would be for them to have relatively little in terms of fines to be contrasted with someone who tries to cover up being hit really hard. If BA were fined heavily after a quick disclosure it would send the wrong message entirely. It would suggest that the difference in penalty between covering up and being found on the one hand and owning up on the other wasn't great. That would lead to a risk analysis that it would be worth trying to cover up to avoid any penalty as the additional cost price of failing over the certain cost of notifying would be minor.
-
-
This post has been deleted by its author
-
-
Wednesday 12th September 2018 11:17 GMT Anonymous Coward
Re: Companies about to take security seriously?
It'd be a lot more promising if it was MANAGEMENT about to take security seriously.
Companies don't make decisions in a vacuum, management make those decisions and if management want to personally and individually be held responsible (and reap the rewards) when things go well, surely there should be a flip side to that ?
Management don't pay penalties, companies don't pay penalties, customers, staff, etc generally end up picking up the costs.
Off with their heads.
-
-
Wednesday 12th September 2018 11:55 GMT Anonymous Coward
PR damage minimisation
Is it me or suddenly the coverage of a breach turns into a positive public relations exercise? The articles that I have seen either lean towards deflecting the blame (there was a red herring about "third party scripts" here in El Reg recently) or praising BA for how quickly they announced the breach never mind that, as the article says, we are obliged to do that by the GDPR.
If they want to be honest and helpful, they should cut the bullshit and publish a detailed post-mortem of how they got breached in the first place (there is no shame in getting breached per se).
-
Wednesday 12th September 2018 12:57 GMT Anonymous Coward
Re: PR damage minimisation
there is no shame in getting breached per se
There bloody well should be, with the sole exception of getting hit by a zero day attack that the target company couldn't mitigate against. The vast majority of breaches appear to be avoidable through rigorous application of good security practice, and that includes avoiding third party scripts and redirects unless genuinely essential.
-
Wednesday 12th September 2018 18:23 GMT Anonymous Coward
Re: PR damage minimisation
> There bloody well should be
With due respect, do you have experience and/or qualifications in an information security role?
Being breached per se means that the opponent deployed an attack that was superior to your defences (in intensity, cunning, duration or any combination of the three). That is a different problem than whether those defences were adequate in the first place, in terms of the risk that could be reasonably expected and, as someone else says, what other mitigation measures you have for when the breach does occur (you start your planning by assuming that a breach has occurred).
And then, even if you misplanned or did not plan in the first place, a post-morted is always helpful both to you and to the industry at large, notwithstanding that legal might want to take a look before release.
Apologies if I am teaching grandma to suck eggs, but I do not understand your comment.
-
-
Wednesday 12th September 2018 15:59 GMT EnviableOne
Article 33
Its says that "[the company] shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify [...] the supervisory authority [...] unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification [...] is not made within 72 hours, it shall be accompanied by reasons for the delay."
so it doesnt have to be within 72 hrs, but if its not, you have to justify it.
and the fine is based on the Global group turnover, not the business unit, so if there were to be a fine, it would be based on IAG's turnover not BA's
-
Wednesday 12th September 2018 21:47 GMT Lomax
> "the answer is Article 33 of Europe's GDPR, under which cyber-break-ins involving personal data must be reported within 72 hours. Security breaches are now understood as having their own lifecycle."
Thank you to everyone involved in making this happen. A bit late, perhaps, but better late than never.