Non Malicious Insiders Case Study – British Airways

British Airways was fined £20 million by the Information Commissioner’s Office (ICO) for its failure to secure customer’s financial and personal details. This substantial error meant that data of over 400,000 customers and employees was compromised after a 2018 cyber attack, with other half of this number having their bank account and card details accessed. 

This breach in cyber security was the result of a lack of adequate cyber security measures taken throughout the company. It is believed that had British Airways implemented simple steps in their cyber security methods, the attack could have been prevented. This could have encompassed basic cyber security practices such as use of multi-factor authentication, security testing, and limiting users’ access to applications to those only required of their role. The failure to apply these basic measures meant that the company was extremely vulnerable to attack, and left those within the company with unsecure accounts and dangerous cyber security habits. Further, a known vulnerability existed in a piece of software called Modernizr, and so an update for this was created. However, BA had not updated this software since 2012, leaving this obvious vulnerability open for years. It then took over two months for British Airways to notice that the cyber attack had taken place, exemplifying a deep issue in the cyber security practices of the company. 

As the ICO has suggested, if British Airways had taken the necessary measures to protect the large amounts of personal data which the company processes, then the 2018 attack would have been unlikely to have succeeded. These inadequacies were likely unintentional, though cost the company millions, along with their reputation, demonstrating that strong cyber security measures are often not difficult or expensive, but are usually effective.