NordVPN Promotion

Home / Blogs

GDPR Fine Enough or More Disclosure?

The UK cares about its citizens’ privacy to the tune of a $229 million (US) fine of British Airways for a breach that disclosed information of approximately half a million customers. It’s exciting—a significant fine for a significant loss of data. I think GDPR will lead to improved security of information systems as companies scramble to avoid onerous fines and start to demand more from those who provide information security services and products.

I wish, though, that as part of their penance, GDPR required companies to provide more details more quickly about how the breach occurred and how a company like British Airways fell short in stopping it. The conversation needs to move quickly and fluidly about what is the standard of duty of care that must be met by organizations.

From a tripwire article:

“Precisely how the hackers managed to gain access to British Airways’ infrastructure to plant the malicious code in the first place hasn’t been made public. However, what’s clear is that for a period of time they failed to notice that a JavaScript library used in their website’s payment flow had been tampered with.”

What has been learned about the breach seems to be coming from third-party analysis such as the blog posting from RISIQ. It turns out that British Airways is one of a number of companies such as Ticketmaster and Newegg to have problems with digital card skimming attacks. Sanguine Security Labs reported that 962 online shops were recently, similarly attacked in a 24-hour period.

Digital card skimming attacks date back to 2016 and show no sign of abating. The attackers keep innovating and succeeding because it is hard to keep up with the newest variations of the Magecart mode of attacks. It’s also confusing to know what defensive steps are reasonable and most cost-effective.

Elizabeth Denham, the UK commissioner in charge of the agency that levied the fine, was quoted as saying:

“That’s why the law is clear—when you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

Organizations must report breaches. There is real urgency to address digital skimming attacks, which continue to compromise user data. Shouldn’t the EU and the bureaucracy administering the GDPR be anxious to share what they know about how these attacks are evolving and what they believe are the appropriate steps to prevent them? For example, is British Airways being fined because they failed to patch a known vulnerability such as the PHP Object Injection vulnerability CVE-2016-4010? Were they fined because they didn’t have a file integrity monitor in place on their servers verifying that scripts had not been tampered with? Organizations that fall under GDPR jurisdiction need to know what misstep British Airways took from the viewpoint of the UK office.

When a breach occurs, more information needs to be disclosed more quickly about what happened and what went wrong. Appropriate steps will sound better when GDPR speaks up about what those are. British Airways will be given the opportunity to defend whether they acted reasonably. The reasoning behind whatever decision is made needs to be made public. Providing an account of what went wrong is as important as holding companies accountable.

By Curt Dukes, Executive Vice President

Filed Under

Comments

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

New TLDs

Sponsored byRadix

DNS

Sponsored byDNIB.com

Domain Names

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

Cybersecurity

Sponsored byVerisign

Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API

NordVPN Promotion