Sometimes the truth grows wings and takes flight
How UK media reported the ICO’s intention to fine BA & Marriott Hotels and a penetration tester’s view on what BA could of and should of done.
Oh, and what’s happened so far with the fine that they actually did issue to Facebook
On the 8th July, the ICO issued an intention to fine BA £183.39m. This was immediately jumped upon, somewhat gleefully, by our news outlets who touted it as confirmation of their doom-laden GDPR reporting of the previous year. You can’t really blame them, unfortunately, these days click-baiting headlines are what pays the bills.
If you are following these news outlets, then you probably think that the ICO issued BA with a fine of over £183M for their post-GDPR data breach. And why wouldn’t you? Especially when our national state broadcaster says stuff like: “The penalty imposed on BA….”
The fact is, they haven’t ‘imposed a penalty’ or ‘issued a fine’, also, BA won’t and can’t ‘appeal’ this fine (that hasn’t been made). In addition, data breaches such as this, broadly speaking, attract the lower 2% fine threshold, not the 4% that is being widely publicised. In saying that, and not to get too technical, potentially it could come under the 4% threshold – ultimately, we’ll have to wait for the final ICO report.
Here’s what has actually happened so far:
1. In September 2018, BA disclosed to the ICO that it’s booking system had been compromised, it became apparent that around 500,000 customers details had been harvested by outside malicious forces.
2. BA & ICO worked together to uncover the full details and see if there is any fraudulent activity on accounts linked.
3. Fast-forward to now and the ICO have issued a ‘notice of intent to fine’.
OK, so an intent to fine, not an actual fine but that’s just semantics isn’t it?
Not really. It’s quite a big difference. By issuing this ‘notice of intent’ the ICO are simply starting the process, worst-case scenario is that BA will have to cough up all the money. But long before that, BA can make ‘representations’, that is provide the ICO with information that could make them reduce or even withdraw the fine.
Again, contrary to what you may have seen in our media, this isn’t an ‘appeal’. Once (and if) the ICO do issue the fine (whatever amount that may be) then BA can appeal.
And then, what do you know? Another one!
That’s right, barely had the ink dried on the BA notice of intent when the very next day the ICO were at it again. This time Marriott Hotels were on the receiving end for their Starwood Hotels Group ‘mega breach’ with an intent to fine of £99m. Even in this post GDPR world they are pretty eye-watering figures.
Especially when you consider that in the 8 years before GDPR: 2010 – 2018 the ICO only levied a total of £17m in fines and actually only recouped just over £9m – the most famous being the £500,000 fine they issued to Facebook – the most that could be issued under pre GDPR rules.
Talking about the Facebook fine – what is happening there?
Glad you asked! Well it started off messy and got worse from there. The ICO were criticized for announcing that they were going to fine Facebook before it even had chance to respond, something they rarely did in the past. Basically, saying OK, were would like to fine you, subject to seeing your representations but before we give you that chance to respond we are going to tell everyone anyway.
They then went ahead and issued the fine in pretty short time; where there have been allegations of a change in the basis of the monetary penalty notice in comparison to the original Notice of Intent – which gave more strength to the impression some may have had that they were always going to do this regardless of any Facebook representations to the contrary.
Unsurprisingly, Facebook appealed and at the time of writing the Preliminary Issue Ruling from the First Tier Tribunal had just been published. The ICO had sought to strike out the Facebook appeal which focused on alleged flaws in the procedural process whereupon the Judge refused the Commissioner’s application.
So, in short, it doesn’t look like Zuckerberg will be writing that £1/2 million check any time soon!
Back to BA, so were they really negligent then?
Like £183m negligent?
To answer this question, we took the journey down the steps to the basement and in to the deep, murky and mysterious depths of our penetration testing lab. Once we had negotiated the various booby traps and empty pizza boxes and, following extensive negotiations with the Service Delivery Manager, we were finally granted an audience with our lead Penetration Tester.
He explained to us that this was a sophisticated and directly targeted attack on BA and included a focus on third party javascript libraries. These libraries were then exploited to send client data – including payment card details and addresses – to a URL that was crafted to resemble that of the authentic BA one.
He added that the use of third parties’ resources is always something that would be considered and highlighted in a pen test, the security integrity of these libraries cannot always be guaranteed, and, as demonstrated in this example, has the potential for both a devastating real-world impact on the target application users and large fines and loss of reputation for the application owners.
In an unusually conciliatory fashion however, he did concede that this is a vulnerability that is sometimes overlooked as a ‘theoretical attack vector’ and is difficult to exploit.
As an example, Port Swiggers’ ‘BurpSuite’ (a standard pen testing tool), highlights this issue as just an ‘Informational’. Essentially a low risk rating that may lead clients to believe that these issues are not at a high risk level of exploit possibility (more info here).
Moral of the story? Well it just goes to show that even the Low / Informational issues that are highlighted in pen tests should be carefully considered and remediated if deemed at all necessary. Does this omission in this case deserve a fine of 1.5% of their annual turnover? The jury’s out on that one we reckon.
There’s a couple of other morals to this story as well.
Firstly, we advise that you ignore any of the ‘experts’ you come across trying to sell you their services based on the erroneous reporting and commentary regarding these ‘not fines’. They are clearly not experts if they don’t understand the basic principles. If you do need to engage with an outside resource to assist you with your organisations’ data protection requirements, use reputable outfits that can demonstrate years of commercial data protection expertise.
Finally, running regular, scheduled vulnerability assessments and penetration tests on your outward facing web instances is a must. Make sure you use a company that understands all the nuances of web app testing, ones that understand that just because a vulnerability shows as a low risk doesn’t mean that it can be ignored.
Would you believe it? A company like ours!