Companies around the world have anxiously awaited who will be made an example of under the new GDPR regulations. Under GDPR, entities who violate the regulations are on the hook for stringent fines and civil lawsuits.
The GDPR has been in place since May 25, 2018, and many businesses had been preparing for the new rules to be enacted for months, if not years. There are even many businesses that are still running to catch up in case of a data breach or potential audit exposes them. However, there have been many details about the GDPR that have yet to be ironed out. That being said, that doesn’t excuse any entity handling and processing the personal data of residents of the EU from complying with the legislation.
Who Will Be Made An Example Of Under GDPR?
It has been known for some time that the effectiveness of the GDPR would ultimately be determined by the investigations and lawsuits against the first businesses caught violating it. Now, we may have the first major company found guilty of violating the GDPR: British Airways.
It’s no surprise that the first major company to violate the GDPR and get media attention would come from the airline industry. The airline industry has been a spectacle of poor cybersecurity for years now. The industry notoriously runs on small profit margins therefore data security is not top-of-mind for executives.
As noted by past employees and security professionals, there are systems in place at airlines that are over 30 years old, and these systems are connected to much newer web services. Legacy systems, especially ones that process the personal data of customers continue to be the crux of the airline industry.
For the airlines, it’s always about the bottom line, but now their hands are being forced to take the matter of information security more seriously.
Will the EU Take Aim at British Airways for GDPR Noncompliance?
Just this month, British Airways fell victim to a massive data breach in which 380,000 transactions were affected. The data breached included financial details of customers who had transactions with the airline between August and September 2018.
Enforcing the penalties of data breaches is exactly why the GDPR was enacted. All companies that operate within the confines of the EU are now on the hook and will be investigated for their actions (or lack thereof) in the wake of any compromise of personal data. Since violating the GDPR can cost a company upwards of 4% of annual turnover, the price to pay can be massive—with the possibility of breaking a company financially. For a business as big as BA, this may only result in a glancing blow, but small to mid-sized companies may not be so lucky in the wake of a breach.
As for BA, they reported the breach as quickly as possible and even went as far as to place ads in newspapers to increase the visibility of the issue. This behavior by a business is a commendable response and this step may not trigger an investigation by officials under the GDPR. However, there is evidence that BA knew that their web applications were not entirely secure as far back as year ago. This would and should trigger an intense investigation. At the very least, this is an opportunity to prove the effectiveness of the GDPR.
Could British Airways Have Avoided Scrutiny?
All that most businesses can do is watch and see how BA will be made an example of under GDPR. If that happens and how that happens is yet to be seen.
The fact of the matter is that BA is not alone when it comes to this type of data breach. Delta Airlines suffered a similar breach back in April. So did TicketMaster UK. Delta Airlines and TicketMaster UK may both have been penalized for GDPR noncompliance if that GDPR had been enacted at the time.
It turns out that many of these data breaches are happening due to 3rd party scripts being used to run the e-commerce on websites that collect payment information. In this case, Magecart hackers seem to be the culprit based on past evidence on similar web-based card skimmers.
RiskIQ has been reporting on the use of these type of supply chain attacks for some time now. You can see their full analysis of the BA incident here.
Should Companies Be Using 3rd Party Scripts On Their Website?
Using 3rd party code, scripts, tools, or plugins on websites is a great way to increase the speed of development. It’s a common practice and provides many benefits, but when implementing any 3rd party code, especially on websites that are processing and handling personal data, businesses need to be extra careful. For a web developer it makes life easier since they don’t have to write and test their own code. But many use 3rd party scripts and plugins that haven’t been updated in ages or aren’t even supported anymore.
So should you avoid 3rd party scripts altogether? It really depends on the application, but since more and more supply chain attacks are taking place when it comes to these tools and scripts, it may make sense to be extra sure those scripts are secure. Specifically, free and open source tools are great and help stay under budget, but maybe if you are developing a site that is processing personal data, it would be smart to instead work with a vendor that regularly updates their code and plugins.
All we can do at this point is observe how the Supervisory Authorities approach the BA data breach, but that doesn’t mean we can’t cover all our own bases in the meantime.