back to article Generally Disclosing Pretty Rapidly: GDPR strapped a jet engine on hacked British Airways

If Equifax's mother-of-all-security-disasters last year underlined one thing, it was that big companies think they can weather just about anything cybercriminals – and regulators – can throw at them. One unpatched web server, 147 million mostly US customer records swiped, and a political beating that should pulverise a company …

  1. 89724102172714182892114I7551670349743096734346773478647892349863592355648544996312855148587659264921

    It's certainly got the airways of many British gulping

  2. Anonymous Coward
    Anonymous Coward

    re. Reporting a breach shows awareness

    while not reporting is costs money. Amazing, what a (large) stick can do to enhance the awareness and sense of responsibility, blah blah blah..

    1. Charles 9

      Re: re. Reporting a breach shows awareness

      I still think companies will just find a way to conceal their turnover numbers so that they can just chalk it up as The Cost of Doing Business.

      1. Gordon 10
        WTF?

        Re: re. Reporting a breach shows awareness

        Eh? That makes no sense. Worldwide Turnover was specifically chosen for GDPR because its easy to calculate and difficult to hide.

        There may be a couple of arguments about which GAAP standards its calculated under but I cant see it being particularly easy to "hide" turnover. Especially since that may attract the ire of both the Tax Authorities and the Stock Exchange.

      2. Arctic fox
        Flame

        Re: re. Reporting a breach shows awareness

        It has always been a wonder to me that companies can get away with not reporting. If, for example, your local branch of your bank got visited by a couple of gentleman equiped with stocking masks and shotguns and they failed to report the matter to the police then the bank could be punished for failing to report knowledge of the commission of a criminal offence. Companies that conceal attacks on their IT-systems should be prosecuted for failing to report said offence. The senior managers responsible should end up in court.

        1. hottuberrol

          Re: re. Reporting a breach shows awareness

          On that logic, the senior managers of some UK industrial giants I have worked with would be spending a part of every day in a police station reporting Chinese intrusion attempts.

          1. Fazal Majid

            Re: re. Reporting a breach shows awareness

            Only successful attempts have to be reported.

          2. macjules
            FAIL

            Re: re. Reporting a breach shows awareness

            Read https://www.riskiq.com/blog/labs/magecart-british-airways-breach, especially the bit about how they detected it was in the modernizr.js library.

            Now visit www.ba.com and follow these steps:

            In your web browser right click and choose Inspect Element (IE and Safari you have to enable this)

            Click Network and then JS and refresh the page.

            Scroll down until you can see modernizr.js and click on it.

            Notice the date for last-modified: Thu, 23 Aug 2018 12:57:01 GMT

            Implies that BA were aware of this on 23rd August and are now not telling the truth.

        2. phuzz Silver badge

          Re: re. Reporting a breach shows awareness

          It has always been a wonder to me that companies can get away with not reporting

          Surely this is something that could be covered by the insurance companies. In much the same way that you or I would need to provide a crime number if we claimed our mobile had been nicked, corporate insurers should insist on a full breach disclosure and police involvement before they pay up.

        3. Anonymous Coward
          Anonymous Coward

          Re: re. Reporting a breach shows awareness

          Are you legally obliged to report criminal offences? I witnessed several people travelling in excess of the speed limit on my drive home from work today. One was even using their mobile phone at the time! Am I now a criminal for not reporting them to the authorities? (Posted anon, just in case)

    2. macjules

      Re: re. Reporting a breach shows awareness

      To me it is far more likely that they got hacked on 21st August and decided to cover up and say it was between 21st August and 5th September in order to avoid GDPR penalties for late disclosure.

  3. Chris G

    Going by a lot of British websites I have visited, I think a lot of British companies are hoping that after brexit the GDPR regs are going to go away. Many of them are trying to make it as difficult as possible to opt out of 'Data sharing' with them but I think they are going to be disappointed, the UK can't really afford to ignore it, as so much of it's future business is still going to depend on complying with Europe.

    1. Anonymous Coward
      Anonymous Coward

      There's still plenty of 'european' residents in the UK. Doesn't matter that the UK may not be part of the EU, but its residents will still be.

      1. FrogsAndChips Silver badge

        @AC, nationality is not relevant to GDPR, it's residency. When UK is no longer part of EU, EU nationals will not be covered by GDPR while they reside in the UK, but UK citizens will still be protected when they visit EU countries.

        1. John Brown (no body) Silver badge

          "@AC, nationality is not relevant to GDPR, it's residency. When UK is no longer part of EU, EU nationals will not be covered by GDPR while they reside in the UK, but UK citizens will still be protected when they visit EU countries."

          You've got that arse about face. The whole point of GDPR (and the UK version enacted in UK law) is that it applies to residents of the EU while in the EU (and UK, even after Brexit) and citizens data wherever it is, ie you can't collect and export the data to somewhere where it won't we protected, hence the kerfuffle over the US data protection figleaf.

          1. Anonymous Coward
            Anonymous Coward

            You've got that arse about face. The original comment was spot on. I'll correct yours.

            Data legally collected within the EU borders, about EU citizens cannot be exported out of those borders without consent.

            Data collected outside the EU borders, about EU citizens, well pretty much anything goes, EU laws have no jurisdiction outside of EU borders.

            If after brexit the current Data Protection Act remains in place, then anyone breaking it will be breaking UK law, they will not be breaking EU law. If post brexit the EU inspired parts of the Data Protection Act are repealed, then no law is being broken, because UK subjects will not be subject to EU laws.

            Please don't confuse UK and EU laws with US laws. The Americans would like to think that US law is universal, and whilst it mostly isn't, they are a big enough bully in the playground that other nations simply let them get away with acting like it is.

    2. JerseyDaveC

      Not going to happen. It's essential for the UK to have its data protection legislation recognised as "adequate" by the EU if UK organisations are to continue seamlessly to exchange information with entities (and about people) in the EU.

      1. Missing Semicolon Silver badge

        GDPR is ours anyway

        Apparently we actually were its biggest enthusiasts. I can't see us rowing back on it now.

        1. cosmogoblin

          Re: GDPR is ours anyway

          Apparently we actually were its biggest enthusiasts. I can't see us rowing back on it now.

          Why on earth not? That's precisely what Theresa May did at the Home Office with the Human Rights Act.

    3. Anonymous Coward
      Anonymous Coward

      "Going by a lot of British websites I have visited, I think a lot of British companies are hoping that after brexit the GDPR regs are going to go away. "

      Given that we've already enacted GDPR into British law in the form of the Data Protection Act 2018, they're in for a shock.

      1. Aqua Marina

        “Given that we've already enacted GDPR into British law in the form of the Data Protection Act 2018, they're in for a shock.”

        You’re forgetting that once we’re brexited, then a single Act of Parliament can repeal any EU legislation previously enacted using wording as simple as “Act of Parliament xxxxxxxx is now repealed this date of xxx of yyy year zzzz.”

        As a sovereign nation any legislation or agreement we’ve entered into with other nations can simply be repealed by our democratically elected parliament.

        1. Anonymous Coward
          Anonymous Coward

          >You’re forgetting that once we’re brexited, then a single Act of Parliament can repeal any EU legislation previously enacted using wording as simple as “Act of Parliament xxxxxxxx is now repealed this date of xxx of yyy year zzzz.”

          Wasn't all the fuss about the Henry VIIIth powers so that the relevant Minister could just repeal law as they saw fit. So Sajid Javid could repeal GDPR one Friday, just for fun if he so wished.

          1. Aqua Marina

            Repealing stuff

            The same goes for Brexit. There seems to be a myth that because the UK voted to brexit, we have to go ahead with it end of discussion. Even if the referendum was legally binding (which it wasn't, but that's another story) it can be overturned simply by holding another referendum. A democracy can overturn any previous decision, simply by following the democratic process. Some of the people I hear on the news that state "the people have spoken, the government must carry their wishes out" are forgetting that in a democracy, the people can change their minds, otherwise we would have political parties that once in power, couldn't be voted out.

            If another referendum was held now (lets just say it's a legally binding one to keep it simple) and the result of that referendum was to remain, then the previous decision to leave has no legal standing.

            I think our government may just decide to hold another referendum if things are looking messy so business can carry on as normal. Better the devil you know than the one you don't.

  4. Flywheel

    Is the ICO up to it though?

    I get the feeling that despite the increasingly heavy responsibility being heaped on them, they won;t actually have the time or resource to actually deal with GDPR issues, breaches and the usual stuff they do. Oh, and the p0rn checking later.. Will government realise this and actually spend some sensible cash, or will it limp along and fail?

    1. Anonymous Coward
      Anonymous Coward

      Re: Is the ICO up to it though?

      Schrems doesn't think regulators will be enough and he's a world class expert. The UK govt is already kicking biz regulators to the sidelines. Big Corps like Google / Facebook will also appeal appeal appeal for years. The only hope is that private lawyers like Schrems / NOYB can move faster and / or EU regulators can come together as one as they're supposed to and squeeze ICO:

      -

      "Max Schrems / NOYB: "Tech companies will likely do the maths on GDPR sanctions to see which problematic features are so profitable that they can afford to keep them running - or at least eat a one-time fine as an experiment in testing the EU"

      -

      https://www.rte.ie/news/business/technology/2018/0816/985601-google-location-gdpr/

      -

      "Britain’s White-Collar Cops Are Getting Too Good at Their Job - Brexit talks aren’t going well, and PM Theresa May is desperate to maintain the U.K.’s attractiveness to international capital after it finally leaves the European Union. The sudden emergence of an aggressive anticorruption agency is unhelpful to her pitch":

      -

      https://www.bloomberg.com/news/features/2018-03-01/britain-s-white-collar-cops-are-getting-too-good-at-their-job

    2. Anonymous Coward
      Anonymous Coward

      Re: Is the ICO up to it though?

      The key question is, how independent is the ICO? If its the Govt's Regulator then expect endless conflicts of interest from 3-letter spying agencies to UK-firms etc. Government is hugely conflicted about dragnet surveillance as it gives them draconian control and crackdown abilities. Its likely UK Govt Inc will push hard for the reality below following Brexit, playing the illegal immigration card to justify it.... Ireland with its new ID card is heading the same way along with Germany too scarily:

      https://en.wikipedia.org/wiki/Social_Credit_System

      https://www.brookings.edu/blog/techtank/2018/06/18/chinas-social-credit-system-spreads-to-more-daily-transactions/

      https://www.cnet.com/news/black-mirror-too-real-in-china-as-schools-shun-parents-with-bad-social-credit/

      https://www.theguardian.com/world/commentisfree/2018/jul/12/algorithm-privacy-data-surveillance

      https://www.bbc.co.uk/news/technology-43428266

      https://neweconomics.org/2018/07/whats-your-score

      https://global.handelsblatt.com/politics/germany-mass-surveillance-social-credit-china-big-data-886786

  5. Andy The Hat Silver badge

    Less Daily Mail please ...

    Not commenting on the breach, just the reporting style. Even I, an old thicko, can work out that

    "detected its breach on July 29 last year, but only told the world months later on September 7"

    is a bit heavy on the bias.

    In my dictionary "months" would be multiples of "month". Two "month" would be a good start for "months", three would be ideal. Just because it says "July" and "September" in the timeline does not make it three months - it's still only a few days more than one. Actually "weeks" would be good ...

    Perhaps if there is a breach on New Year's Eve and it is declared on New Year's Day, the report will suggest the declaration being made "years later"?

    1. Charlie Clark Silver badge

      Re: Less Daily Mail please ...

      is a bit heavy on the bias.

      Indeed and now I'm confused. Was the breach July 2018 or 2017? (it does say last year). In either case "months" is not really appropriate.

      1. Anonymous Coward
        Anonymous Coward

        Re: Less Daily Mail please ...

        Maybe it needs a new register standard for time. I propose the "Ikea" which can be represented as either a "Year" (how long it feels) or "12 Hours" of actual time should you find the exit on the same day.

    2. awavey

      Re: Less Daily Mail please ...

      The Equifax breach was discovered in July 2017,it had been leaking details since May 2017 (at least),so it took 'months' to notice it was happening and a further month to bother telling anyone.A year later and we still haven't quite got the full detail released. It's not unreasonable or Daily Mail style to describe Equifaxs approach to reporting the breach as taking 'months'.

      1. Andy The Hat Silver badge

        Re: Less Daily Mail please ...

        The Reg report of the declaration was on 7 Sep 2017, ie about 5 weeks after the breach. I stand by my comment.

  6. Lordbrummie

    Companies about to take security seriously?

    It's about time there was a law with actual teeth that makes these big companies sit up and actually take the security of our personal data seriously. GDPR does just that, no longer can a company just say "we'll risk it" when asked to spend money on network/data/physical security, the risk is now upto 4% of global revenue (including the parent company). On the flip side the security companies must think it's Christmas come early. If BA is found to be liable I hope they get a fine in the £100's of millions, I'm a firm believer in the "shoot one, scare many" approach, it's a big "if" but hopefully we'll get a detailed explanation of how they were compromised.

    1. Joe Harrison

      Re: Companies about to take security seriously?

      Unlikely that fines approaching anywhere near 4% of global; turnover will ever happen in our lifetime. Even before GDPR the ICO has always been able to fine up to half a million pounds. Their record of actually collecting it (not necessarily their fault) is very poor.

      1. Doctor Syntax Silver badge

        Re: Companies about to take security seriously?

        @Joe Harrison

        Any judicial or quasi-judicial body with the power to levy fines does so on a graduated basis. If they go for a maximum fine in minor cases how are they going to differentiate the more egregious cases? Or, as the saying puts it, might as well be hung for a sheep as a lamb.

        1. JerseyDaveC

          Re: Companies about to take security seriously?

          The concept of a "discount" for reporting promptly is an interesting one. Failure to report on time would be an administrative breach, inviting a fine of 2% of turnover or EUR10m. The data loss itself is a data breach, with a potentially higher penalty of 4% of turnover or EUR20m. Had BA taken too long to report, the ICO would consider a fine for the failure to report (an administrative breach, with a max of 2% of turnover or £10m) AND a fine for the breach (a data breach, with a max of 4%/EUR20m). They wouldn't be added together, though: item 3 of Article 83 states: "... the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement".

          Which is interesting, because unless the administrative fine was greater than the data breach fine, it'd effectively be disregarded anyway.

        2. JerseyDaveC

          Re: Companies about to take security seriously?

          Agreed.

          A fiver says that they have some internal guidance that has been extensively considered with regard to the variables upon which a fine is based. You can't just slap a maximum fine on someone to make an example of them: if another company is less naughty and gets fined less, an appeal will instantly be forthcoming from the company that got the monetary kicking.

          Fines must be proportionate and dissuasive: enough to make it worth taking steps to protect yourself, but not idiotically big.

        3. Teiwaz
          Joke

          Re: Companies about to take security seriously?

          Or, as the saying puts it, might as well be hung for a sheep as a lamb.

          That saying needs to be updated - These days, underage lamb related crime probably has stiffer penalties.

    2. Doctor Syntax Silver badge

      Re: Companies about to take security seriously?

      "If BA is found to be liable I hope they get a fine in the £100's of millions"

      Their quick disclosure takes them out of the top tier of fines.

      A more desirable outcome would be for them to have relatively little in terms of fines to be contrasted with someone who tries to cover up being hit really hard. If BA were fined heavily after a quick disclosure it would send the wrong message entirely. It would suggest that the difference in penalty between covering up and being found on the one hand and owning up on the other wasn't great. That would lead to a risk analysis that it would be worth trying to cover up to avoid any penalty as the additional cost price of failing over the certain cost of notifying would be minor.

    3. Jove Bronze badge

      Re: Companies about to take security seriously?

      That would have to wait until Social Media are forced to set-up a legal entity in each jurisdiction they operate in and be subject via that entity to local regulations.

      1. This post has been deleted by its author

    4. Anonymous Coward
      Anonymous Coward

      Re: Companies about to take security seriously?

      It'd be a lot more promising if it was MANAGEMENT about to take security seriously.

      Companies don't make decisions in a vacuum, management make those decisions and if management want to personally and individually be held responsible (and reap the rewards) when things go well, surely there should be a flip side to that ?

      Management don't pay penalties, companies don't pay penalties, customers, staff, etc generally end up picking up the costs.

      Off with their heads.

      1. Anonymous Coward
        Anonymous Coward

        Re: Companies about to take security seriously?

        You'd be effectively killing off limited-liability corporations, then, as one of the reasons they exist at all is to deflect risk. Otherwise, investors would never pony up.

  7. Anonymous Coward
    Anonymous Coward

    I'm glad it happened to BA but not their customers as they've suffered enough.

    I'll never forgive Bastard Airlines for fucking me over.

    1. MiguelC Silver badge

      You do realize that what thy got was the customer's details (card numbers and the like)... guess who will, eventually, get screwed?

  8. Version 1.0 Silver badge

    In the USA ...

    ... generally the first thing that happens is the corporate lawyers try to sue whoever finds the leak.

  9. Anonymous Coward
    Anonymous Coward

    PR damage minimisation

    Is it me or suddenly the coverage of a breach turns into a positive public relations exercise? The articles that I have seen either lean towards deflecting the blame (there was a red herring about "third party scripts" here in El Reg recently) or praising BA for how quickly they announced the breach never mind that, as the article says, we are obliged to do that by the GDPR.

    If they want to be honest and helpful, they should cut the bullshit and publish a detailed post-mortem of how they got breached in the first place (there is no shame in getting breached per se).

    1. Anonymous Coward
      Anonymous Coward

      Re: PR damage minimisation

      there is no shame in getting breached per se

      There bloody well should be, with the sole exception of getting hit by a zero day attack that the target company couldn't mitigate against. The vast majority of breaches appear to be avoidable through rigorous application of good security practice, and that includes avoiding third party scripts and redirects unless genuinely essential.

      1. Charles 9

        Re: PR damage minimisation

        Nope, people get hit, life goes on. Unless and until it hits THEM directly (as in they lose all their money or something similarly drastic), they won't care about what happens to the other guy. Plus, that's why there's insurance.

      2. Anonymous Coward
        Anonymous Coward

        Re: PR damage minimisation

        > There bloody well should be

        With due respect, do you have experience and/or qualifications in an information security role?

        Being breached per se means that the opponent deployed an attack that was superior to your defences (in intensity, cunning, duration or any combination of the three). That is a different problem than whether those defences were adequate in the first place, in terms of the risk that could be reasonably expected and, as someone else says, what other mitigation measures you have for when the breach does occur (you start your planning by assuming that a breach has occurred).

        And then, even if you misplanned or did not plan in the first place, a post-morted is always helpful both to you and to the industry at large, notwithstanding that legal might want to take a look before release.

        Apologies if I am teaching grandma to suck eggs, but I do not understand your comment.

  10. Anonymous Coward
    Anonymous Coward

    So as long as its reported in time the horse has bolted from the barnyard is fine...

  11. EnviableOne

    Article 33

    Its says that "[the company] shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify [...] the supervisory authority [...] unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification [...] is not made within 72 hours, it shall be accompanied by reasons for the delay."

    so it doesnt have to be within 72 hrs, but if its not, you have to justify it.

    and the fine is based on the Global group turnover, not the business unit, so if there were to be a fine, it would be based on IAG's turnover not BA's

  12. Lomax
    Thumb Up

    > "the answer is Article 33 of Europe's GDPR, under which cyber-break-ins involving personal data must be reported within 72 hours. Security breaches are now understood as having their own lifecycle."

    Thank you to everyone involved in making this happen. A bit late, perhaps, but better late than never.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like