British Airways could have done more to keep the front end of their data network secure

Alex Bransome, Virtual Chief Information Security Officer (vCISO) at Doherty Associates, experts in managing and securing cloud services, explains why British Airways’ security systems were breached and how businesses can stay secure and GDPR compliant.  

“According to the ICO report, there were major weaknesses at the front end of British Airways’ data network via its website which is surprising given this is where all business critical data on customers is processed.

“The attack was made possible due to a major web based vulnerability in the front end of BA’s website which cyber attackers exploited using a common strain of malware, heavily customised to exploit the vulnerabilities of the BA network.

“It was a very well planned and targeted attack which allowed cyber criminals to skim off customer data and credit card details. BA should have been doing more to monitor, test and update their security systems to ensure there were no gaps in their cyber defence that hackers could take advantage of.

“Commonly organisations make the mistake of deploying security systems and then leaving them but this record £183m fine imposed on BA is a warning shot to all other organisations that the ICO is serious about fining anyone breaching GDPR regulations. To keep your front door secure and personal data protected at all times, companies must regularly run security checks and update their security systems to ensure any vulnerabilities are identified and patched so no gaps are left for cyber criminals to exploit. If not, they are leaving their customers’ data exposed, risking a GDPR compliance breach and major reputation damage.”