SIT284 Assignment 1: Report on British Airways Data Breach Incident

Verified

Added on 2022/10/11

AI Summary

This report provides a comprehensive analysis of the 2018 British Airways data breach, examining the incident's details, including the fraudulent website and credit card skimming malware used by attackers. It delves into the threats, vulnerabilities, and exploits employed, such as cross-site scripting and JavaScript modifications. The report explores the legal and ethical issues involved, particularly in relation to the Data Protection Act 1998 and GDPR, as well as the ethical responsibilities of the company. It also addresses the consequences of the breach, including financial penalties, loss of goodwill, and reputational damage. Furthermore, the report highlights key lessons learned, such as the importance of up-to-date website platforms, continuous monitoring, and secure file exchange servers. Finally, it offers recommendations for businesses, including developing a data inventory, understanding GDPR obligations, and establishing a data breach response process. This assignment was submitted by a student and is available on Desklib.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

Cyber Security Management
8/4/2019
Student’s Name

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

CYBER SECURITY MANAGEMENT 1
Contents
Introduction......................................................................................................................................2
Threats, vulnerabilities and exploits analysis..................................................................................2
Legal and Ethical Issue analysis......................................................................................................4
Consequences..................................................................................................................................5
Lessons Learned..............................................................................................................................6
Recommendation.............................................................................................................................7
References........................................................................................................................................9

CYBER SECURITY MANAGEMENT 2
Introduction
An organization consists of many stakeholders and interest of these people is closely connected
to the working of the company. This is the reason that an organization is required to be
accountable and responsible in its dealings. With the development of technology and passage of
time, every organization uses technology for its workings and do not keep the client data or other
records in physical form. In such a situation, there is always a risk of data breach incidents. A
data breach incident can be understood as a situation where information of an organization gets
unauthorized access of the third party. In recent years, many of the incidents of data breach have
been reported. These incidents contain different legal and ethical issues. For the preparation of
this assignment, the data breach incident of British Airways is selected. The incident happened in
2018 and had many negative consequences. In the presented report, the manner of a data breach,
threats involved in the incident will be addressed. Further legal and ethical issues involved in the
breach will also be discussed. In conjunction with these, the focus will be made to the
consequence of subjective data breach incident and lessons that one learns from the same. Lastly,
a conclusion summarizing the whole report will be drawn upon.
Threats, vulnerabilities and exploits analysis
Before moving towards the methods used in the selected data breach, first, it is necessary to
understand what exactly happened. The incident happened in 2018 when the website of British
Airways (BA) diverted to a fraudulent site. The company carries the business of flag carrier.
Attackers harvest details of about five lakh customers through this fraudulent website. On 6
September 2018, the incident was first disclosed and as per the initial report of BA, 380000
transactions were affected (Bbc.com 2019, para. 7). In order to discuss the type of information

CYBER SECURITY MANAGEMENT 3
that affected this is to state that as per Information Commissioner's Office (ICO) such
information included payment card details, login credentials, and travel booking details of
customers in addition to address, and name details.
BA stated that information that has been affected included credit card details of such as credit
card number, CVV code and expiry details of cards (Calder 2019, para. 6). Now moving the
discussion towards threats and vulnerabilities used in the attack, this is to mention that credit
card skimming malware has been installed on BA by attackers. A cybersecurity company named
RiskIQ assessed this incident and published a report on the strategy of hackers used in this
incident. RiskIQ linked the data breach to the gang that was active in 2015. The subjective gang
is known for the practices of credit card skimming and vacuuming data from websites that do not
secure payment-related data. The analyst at RiskIQ stated that probably hackers of this incident
were engaged in cross-site scripting attack. Under this kind of attack, hackers identify websites,
which are poorly unsecured. They develop their own code and inject to the same to these not so
secure website to alter a victim’s site behavior.
Further threat researcher Yonathan Klijnsma also identified other threats that were involved in
the selected data breach incident. He checked all the scripts on the website of BA and found one
javascript that has been modified just before the data breach incident (Newman 2018, para. 6). It
was found that hackers have modified the component of the script with the intention to include
their code into the same. This code was the real threat that has been used in this incident as the
same grabbed all the data from BA’s website such as the personal data of the client. In this
manner, it is clear that the breach has conducted through the website of the company. Further BA
also stated that mobile users also have affected. In the case of the app too, the same JavaScript
Component has been used for website hacking.

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

CYBER SECURITY MANAGEMENT 4
Legal and Ethical Issue analysis
An organization always has certain liabilities towards its stakeholders. These liabilities involve
legal obligation as well as an ethical obligation. Whenever an incident of data breach reports
there, certain legal and ethical issues arise. Staring from the legal issues this is to state that every
nation has some privacy laws that are applicable to business and demand to keep the information
of client safe and secure.
In the UK, Previously Data Protection Act 1998 was there. The act required organizations to
keep the personal data of stakeholders secure. Company has developed its privacy policy as
according to the requirements of this act. As mentioned above, the company failed to secure the
data of its customers, hence in such a situation, BA breached the provisions of the Data
Protection Act 1998. However, at the time of the studied breach, new privacy law has been
applied throughout Europe and the same is known as the General Data Protection Regulation
(GDPR). The regulations became applicable with effect from 25 May 2018 (Reuvid, 2018).
Therefore, the case of BA was the first one that has been dealt with under new privacy law
(Ikeda, 2019). Similar to the Data Protection Act 1998, GDPR also contains certain requirements
for the business and assure the penalties for those entities that report data breach incident. BA in
this way actually breached provisions to GDPR, i.e. privacy law of the nation.
Now, moving towards ethical issues, this is to state that ethics is an important part of every
business. Entities have a social responsibility to its stakeholders where they are requiring
maintaining privacy of them. Nevertheless, BA failed to do so. Secondly, the business was
required to act in the best interest of the customer, which is one of the lead stakeholder group.
Because of poor security techniques of the company, nearly five lakh customers lost their

CYBER SECURITY MANAGEMENT 5
personal data that seems to be very irresponsible and unethical action of the company. However,
the incident was not intentional yet company breached their ethical responsibility as it did not
have taken the security issues as serious as it ought to be.
Consequences
The studied incident led out many negative consequences. These consequences include monetary
as well as non-monetary. Not only the customers were affected but the company also affected out
of this breach. As per the provisions of DPR every victim person has the right to ask for
damages if suffers from a material or non-material breach (Lambert, 2016). BA confirmed that
the same would not let any of its passengers to bear out of pocket expenses because of this
incident. In conjunction with the company also confirmed that it will reimburse direct losses to
customers that they have occurred because of a data breach. Apart from the payment of damages,
the second adverse consequence came into the form of penalties. Recently British authorized
have published a notice in which it was intended that BA have to pay £183m as penalties
(Leighday.co.uk 2019, para. 1). Such a huge amount would affect the financial functioning of the
company in the future. The amount of penalties has been calculated under GDPR. The calculated
amount is about 1.5% annual worldwide turnover of BA (Sweney 2019, para. 5).
These are just economic consequence. In conjunction with this, some non-monetary
consequences are also there. Loss of goodwill comes at the very first place. BA secures a place
of largest airline company based on fleet size. Further based on a number of passengers, it is the
second-largest airlines in the UK (Airlineportal.org 2019, para. 1). Before the incident, millions
of people were used to trust BA but now their trust is broken somewhere. It badly affected the
trust of stakeholders very badly. Data Breach incident is not a small incident especially when

CYBER SECURITY MANAGEMENT 6
data related to bank details and credit card is available. Company has developed its goodwill
over many years but the incident of privacy data breach gave a big shock to customers
(Lexology.com 2019, para. 4). No one wants to deal with the organization with that his/her data
is not secured. Further, the company had its privacy policy that has been breached. It simply
spread a message among stakeholders that the company is not so serious about compliance with
their policy and is not responsible for its dealing. These elements affected goodwill and market
reputation of the company, which is a terrible consequence for sure.
Lessons Learned
The selected article is a significant one in the history of a data breach. The company, as well as
customers, got affected very badly. On one side, customers lost the privacy of their data; the
company came across to various monetary as well as non-monetary losses. As the incident
brought much adverse impact, BA, as well as no other organization, would like to go through it
again. Some lessons are there that one may get from this incident. The first lesson is to keep the
website platform up to date. As mentioned above attackers used the website of BA for a data
breach. The website of the company was updated as per the latest version and because of weak
spot, hackers became able to inject their malicious code into it. Yonathan Klijnsma revealed that
attackers secretly added a credit card skimmer to the online payment form. The incident
happened in case of the app too. This is a significant lesson that one may get from this incident
that a continuous monitoring system must be there. When a threat monitoring process is there,
chances of an incident of a data breach are less likely.
Further, a file exchange server is there in every cyber system that organizations use to send and
receive data from customers. This server is required to be safe and secure all the time. At most,

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

CYBER SECURITY MANAGEMENT 7
of the time, companies’ use outdated protocols that are easily open to cyber attackers and do not
restrict unauthorized access to data in every situation. Here organizations are required to
remember the BA data breach case and are required to understand how dangerous an unsecured
file exchange server could be. Organizations should check and ensure that no vulnerabilities
present in exchange servers (Silva 2018, para. 10). Therefore, it is a key lesson of a data breach
that an organization must never use improper or unsafe exchange system.
Recommendation
As a consequence of breach as well as lessons of the same is clear, some recommendations for
business is also required to be made. These recommendations are a suggestion on the activities
that BA should do to minimize, prevent, and mitigate similar damages and breaches. The very
first recommendation for BA is to develop and resort a data inventory. This will help the
organization to know and understand the type of information usually collected by the same and
purpose of the same. For the development of proper data security strategy, a data inventory is
required to be there.
The second thing to do is to understand the organization’s obligation under GDPR. When the
company would be aware of expectations, then only the same would be able to know the
seriousness of its dealings and will develop proper plans and procedure and to develop
cybersecurity system accordingly. GDPR does not define and identifies the security measures
that are required to be in place. BA needs to decide these measures considering context, scope,
purpose, and nature of data processing. These security measures include various standard and
guidelines that BA is required to comply with. The measures can be anything such as the
Payment Card Industry Data Security Standard and so on. It is also recommended for BA to

CYBER SECURITY MANAGEMENT 8
develop and implement a process for dealing with a data breach. Under GDPR certain task are
required to do in response to a data breach. For instance, a data breach must be reported within
72 hours of becoming aware of it. BA is required to develop its cybersecurity policy considering
these provisions.
Further, as mentioned earlier, timely review of system security is highly recommended for BA.
By doing so the company can be ensured about any potential threat in the cyber system and can
take the required action before threat turns into a reason of another data breach.

CYBER SECURITY MANAGEMENT 9
References
Airlineportal.org 2019, British Airways, Airlineportal.org, retrieved 03 August 2019,
<http://www.airlineportal.org/british-airways.htm>.
Bbc.com 2019, British Airways faces record £183m fine for data breach, Bbc.com, retrieved 03
August 2019, <https://www.bbc.com/news/business-48905907>.
Calder, S. 2019, British Airways Data Breach: Airline Fined £183m After Credit Card Details
Stolen, Independent.co.uk, retrieved 03 August 2019,
<https://www.independent.co.uk/travel/news-and-advice/british-airways-hack-credit-card-data-
breach-fine-security-a8992876.html>.
Data Protection Act 1998
Ikeda, S. 2019, British Airways Facing Record Penalty; Is This the Beginning of Maximum
GDPR Fines? COP Magazine, retrieved 03 August 2019 <https://www.cpomagazine.com/data-
protection/british-airways-facing-record-penalty-is-this-the-beginning-of-maximum-gdpr-fines/
>.
Lambert, P., (2016) The Data Protection Officer: Profession, Rules, and Role. New York : CRC
Press.
Leighday.co.uk 2019, British Airways facing record £183 million fine over data hack of
customer information, Leigh Day, retrieved 03 August 2019,

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

CYBER SECURITY MANAGEMENT 10
<https://www.leighday.co.uk/News/2019/July-2019/British-Airways-facing-record-183-million-
fine-ov>
Lexology.com 2019, Overview of ICO's Decision to Fine British Airways, Lexology.com,
retrieved 03 August 2019, <https://www.lexology.com/library/detail.aspx?g=4e796e44-7402-
4035-8e2d-86417dcfc6c2>.
Newman, L., H 2018, How hackers slipped by british airways' defenses, wired.com, retrieved 03
August 2019, <https://www.wired.com/story/british-airways-hack-details/>.
Reuvid, J. (2018) Easy Steps to Managing Cybersecurity. London: Legend Press Ltd.
Silva, J 2018, 3 Important IT Lessons to Take Away After the British Airways Data Breach,
Thruinc.com, retrieved 03 August 2019, <https://www.thruinc.com/3-important-it-lessons-to-take-
away-after-the-british-airways-data-breach/>.
Sweney, M 2019, BA faces £183m fine over passenger data breach, Theguardian.com, retrieved
03 August 2019, <https://www.theguardian.com/business/2019/jul/08/ba-fine-customer-data-
breach-british-airways>.