BA’s ‘Sophisticated’ Data Breach Shows Importance of Top-Level Security

Most UK companies aren’t ready for cyber-attacks, as hackers have become technically sophisticated beyond the reach of organisations’ defences. The recent attack on BA showed how this can happen. Studies also show that much needs to be done at UK organisations to bring them up to the necessary level of security. Diligent’s Governance Cloud is alone in offering the highest possible level of security for board- and management-level communications.

British Airways apologises for ‘sophisticated and malicious’ data breach – shares drop

If proof were needed that IT systems need the highest, most up-to-date level of security, then the BA data breach of September 7 would provide the determining evidence. Surprisingly, recent studies show that only a small minority of UK companies have security at that level – of the kind offered by the Diligent Governance Cloud.

On September 7, shares in British air carrier BA’s parent company, International Consolidated Airlines Group (LON: IAG), fell 1.4 per cent (Reuters) after the airline announced that it had suffered a data breach affecting card payments by 388,000 of its customers. It was the first time in the 20 years that BA has operated online that the company has suffered a data breach which compromised names, street and email addresses, credit card numbers, expiry dates and security codes.

Forced to make a public apology for the data breach, BA Chairman and Chief Executive Alex Cruz said that bookings made between August 21 and September 5 had been subject to a ‘very sophisticated, malicious criminal attack’. He dwelt on the special, highly developed techniques used by the hackers, for which BA’s defences were simply not ready, Cruz told the press.

The true cost of a data breach: The attack comes and you’re not ready – that is costly

All of this comes at a high cost. A typical FTSE 100 firm is worse off by an average of £120 million after a data breach, according to a study commissioned by cybersecurity firm CGI and conducted by Oxford Economics. The study found that companies’ share prices fall by an average of 1.8 per cent on a permanent basis following a severe breach – where large amounts of sensitive information are lost.

Issues have been raised about BA’s response to the attack, as well as concerns about BA’s unreadiness for it. The ‘sophisticated’ attack is typical of the increasing threats posed by hackers, who just become better and better at what they do.

Under the current UK law governing data protection, whose terms derive from the EU’s GDPR, failure to prepare for a data breach may mean non-compliance. Fines for non-compliance of this type are extremely high, up to £17.5 million (US$22.61 million) or four per cent of global turnover, whichever is the greater. The UK Information Commissioner’s Office has announced that it would ‘investigate’ the data breach.

While BA reported the data breach to authorities without delay, the company also had the obligation to notify customers who may have been affected by the data breach as soon as possible. But there are reports that customers did not find out about the leak until they found that their accounts had been pilfered by the hackers. Cruz has assured customers that they would be compensated if they’d suffered financial loss as a consequence of the data breach, and that will involve extensive costs as well.

Most UK companies are not ready for a data breach

On the same day, a report by 247meeting revealed that most British companies aren’t ready for a sophisticated attack of the type seen by BA. The report showed that,
in the UK:

• One-third of senior managers use the same password for email and external websites;
• One in 10 employees who have a work phone don’t have it password-protected;
• 26 per cent of employees who have access to customer data haven’t been trained for GDPR;
• Over a third of employees don’t know anything about their company’s security policies; and
• Almost half of employees admit to using technology tools to communicate at work without them being password-protected.

Businesses can ill afford to take risks regarding internal communication, where some of the most sensitive business issues are discussed, the study notes. This is doubly important for board- and management-level communications, which involve a great deal of sensitive material. Yet board members, managers and employees all continue to use unsafe email or messaging communication for this purpose – and, according to the study, much of it isn’t even password-protected!

Alarmingly, the study showed that many board members and employees are still using messaging services that aren’t even encrypted to talk about work issues, including SMS (21 per cent), Twitter (8 per cent) and Snapchat (4 per cent).

Diligent’s Governance Cloud makes sure you are ready for all threats

‘Carefully protected internal communication services centred on security and privacy are the safest way to conduct internal communication’, the study noted. Diligent, as the long-standing market leader for high-level corporate communications, is uniquely positioned to offer its clients the highest level of assurance around security measures. Diligent’s unique position in the marketplace allows for investment in best-in-class security practices at a level that is greater than most players’ annual revenue.

With ongoing investment and dedication to security technology, resources and infrastructure that no other provider can match, Diligent clients gain a strategic partner that truly puts security first.

All members of Diligent’s Security Team are active participants in the information security community in order to maintain up-to-date knowledge and expertise. This means that they are aware of nearly anything that hackers have available, ready to thwart all of the most sophisticated attack techniques.

Diligent has established a security program, based on industry standard frameworks, that is dedicated to ensuring that customers have the highest confidence in our custodianship of their data. Our Information Security Management System (ISMS) is ISO 27001:2013 certified and our cybersecurity framework is based on NIST standards.

Diligent Boards™ data is housed in a world-class hosting infrastructure. Co-location data-hosting facilities are operated at Tier 3 equivalent or higher standards. Diligent owns and operates its own equipment. Data stored by customers in the Diligent Boards solution is not hosted by any third-party cloud providers. Instead, it is stored on Diligent’s own secure servers and protected by strong physical security. Access to these data centres is limited to authorised personnel only and verified by two-factor authentication.

Data is encrypted at rest, in transit and on users’ devices. The Diligent Boards service supports the current recommended secure cipher suites to encrypt customer data in transit and at rest. Customer data is encrypted at rest on Diligent’s storage systems and on the customer’s mobile devices that run the Boards apps. Customer data encryption keys are stored in a tamper-proof FIPS 140-2 L3 certified Hardware Security Module.

Diligent has a documented Security Incident Response Program in place to handle a security incident. Incident response procedures are tested and updated at least annually. All incidents are managed by Diligent’s Security Incident Response Team. Diligent classifies the event and determines the incident response process. In the event of a security breach, Diligent will promptly notify customers of any unauthorised access to customer data.