Home / Blogs

GDPR Fine Enough or More Disclosure?

The UK cares about its citizens' privacy to the tune of a $229 million (US) fine of British Airways for a breach that disclosed information of approximately half a million customers. It's exciting — a significant fine for a significant loss of data. I think GDPR will lead to improved security of information systems as companies scramble to avoid onerous fines and start to demand more from those who provide information security services and products.

I wish, though, that as part of their penance, GDPR required companies to provide more details more quickly about how the breach occurred and how a company like British Airways fell short in stopping it. The conversation needs to move quickly and fluidly about what is the standard of duty of care that must be met by organizations.

From a tripwire article:

"Precisely how the hackers managed to gain access to British Airways' infrastructure to plant the malicious code in the first place hasn't been made public. However, what's clear is that for a period of time they failed to notice that a JavaScript library used in their website's payment flow had been tampered with."

What has been learned about the breach seems to be coming from third-party analysis such as the blog posting from RISIQ. It turns out that British Airways is one of a number of companies such as Ticketmaster and Newegg to have problems with digital card skimming attacks. Sanguine Security Labs reported that 962 online shops were recently, similarly attacked in a 24-hour period.

Digital card skimming attacks date back to 2016 and show no sign of abating. The attackers keep innovating and succeeding because it is hard to keep up with the newest variations of the Magecart mode of attacks. It's also confusing to know what defensive steps are reasonable and most cost-effective.

Elizabeth Denham, the UK commissioner in charge of the agency that levied the fine, was quoted as saying:

"That's why the law is clear — when you are entrusted with personal data, you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."

Organizations must report breaches. There is real urgency to address digital skimming attacks, which continue to compromise user data. Shouldn't the EU and the bureaucracy administering the GDPR be anxious to share what they know about how these attacks are evolving and what they believe are the appropriate steps to prevent them? For example, is British Airways being fined because they failed to patch a known vulnerability such as the PHP Object Injection vulnerability CVE-2016-4010? Were they fined because they didn't have a file integrity monitor in place on their servers verifying that scripts had not been tampered with? Organizations that fall under GDPR jurisdiction need to know what misstep British Airways took from the viewpoint of the UK office.

When a breach occurs, more information needs to be disclosed more quickly about what happened and what went wrong. Appropriate steps will sound better when GDPR speaks up about what those are. British Airways will be given the opportunity to defend whether they acted reasonably. The reasoning behind whatever decision is made needs to be made public. Providing an account of what went wrong is as important as holding companies accountable.

By Curt Dukes, Executive Vice President

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet


 Be the first to post a comment!

Add Your Comments

 To post your comments, please login or create an account.



DNS Security

Sponsored byAfilias

IP Addressing

Sponsored byIPv4.Global


Sponsored byThreat Intelligence Platform

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byAfilias


Sponsored byVerisign


Sponsored byWhoisXML API

Brand Protection

Sponsored byAppdetex