British-Airways Magecart Third-party Breach Leads to a $230 Million GDPR Fine
According to the Information Commissioner Office in the UK (ICO) a notice has been issued to British-Airways of its intention to fine airliner $230 million (£183.39M) for “infringements of the General Data Protection Regulation (GDPR)”.
The reason for the planned penalty is last year’s BA data breach of around 500 thousands customer details. According to the ICO, the September 2018 incident “involved user traffic to the British Airways website being diverted to a fraudulent site. Through this false site, customer details were harvested by the attackers. Personal data of approximately 500,000 customers were compromised in this incident, which is believed to have begun in June 2018″.
The incident itself was first disclosed by British-Airways by the beginning of September 2018. According to InfoSecurity, security researchers claimed to have found stolen card details from British-Airways for sale on the darknet just a week after the incident. According the ICO “poor security arrangements” at British-Airways have led to the breach of sensitive data, including credit card information, booking details, names and addresses and user login details of approximately half a million customers.
The Magecart Hacking Group
The Highest Penalty Under Europe’s New Data Privacy Law
In 2018 the ICO fined Facebook $626,000 (£500,000) over the Cambridge Analytica data scandal. At that time, before the new GDPR regulations came into force, it was the highest penalty amount allowed. In June 2019 Italy’s data protection watchdog has issued Facebook a €1,000,000 fine for violating its local privacy law.
According to the BBC, the £183.39 million ($230M) fine is the biggest penalty the ICO had handed out and the first to be made public under new rules.
Click here to learn more about web third-party vulnerabilities and how to avoid the next Magecart attack.