Cybersecurity investigators have detailed the British Airways customer data theft which has resulted in a £20 million ($26 million) fine being imposed on the UK flag-carrier.

The figure is in line with the expectations of parent company IAG, which had disclosed in its first-half results that it was setting aside a provision of €22 million as a “best estimate” of the penalty, following the data breach two years ago.

This fine has been heavily reduced from an earlier figure of £183 million, mainly as the understanding of the events became clear, but partly to reflect the airline’s response and to take into account the financial impact of the pandemic.

Investigation by the UK’s Information Commissioner’s Office found that the airline was processing a “significant amount” of personal data “without adequate security measures in place”.

Over the course of 22 June to 5 September 2018 a “malicious actor” gained access to an internal British Airways application through the use of “compromised credentials” for a remote-access gateway, says the Office’s formal penalty notice.

It adds that British Airways alerted it to the breach on 6 September and – while it “does not admit liability” for the breach of European data-protection regulations – the airline has “co-operated fully” with the investigation.

BA 787-c-British Airways

Source: British Airways

British Airways had been facing a potential fine of more than £180 million

But the inquiry has nevertheless found that the carrier “failed to process the personal data of its customers in a manner that ensured appropriate security of the data”.

The breach began when the cyberattacker obtained access to log-in credentials for an employee of cargo-handler Swissport.

Five accounts connected to Swissport were compromised. The Swissport accounts were not protected by multi-factor authentication – such as the transmission of a code to a mobile phone which an authorised user would possess.

Having obtained initial access to the British Airways network, the attacker was able to break out of the immediate environment and gain access to areas not intended to be accessed by Swissport employees.

British Airways has theorised about how this might have been achieved, but the details have been heavily redacted by the Information Commissioner’s Office.

The airline believes the attacker was able to “launch tools and scripts that [the remote-access gateway] would ordinarily have blocked”, and bring in tools from outside the environment – which were then used to “conduct network reconnaissance”.

This reconnaissance enabled the attacker to access the log-in and password of a privileged domain administrator account.

“Access to such domain administrator credentials therefore gave the attacker virtually unrestricted access to the relevant compromised domain,” the Office states. The attacker gained database system administrator credentials and, on 25 June 2018, successfully logged into three servers, subsequently locating files containing payment card details.

These files – which were not encrypted – were actually a test feature and not intended to be part of British Airways’ live system, the Office found, but they had been left active. This meant the system had been unnecessarily logging payment card details since December 2015, although each was only retained for 95 days. This nevertheless left 108,000 payment cards exposed.

BA home page

Source: British Airways

Part of the cyberattack involved redirecting customers’ data as they booked online

But the attacker went further in mid-August 2018, setting up a redirect to a different website – branded ‘BAways’ – which copied the payment card data of customers booking with the airline online. This remained active for about two weeks before a third party informed the carrier of the redirect, whereupon the airline contained the vulnerability within 90min.

The attacker would potentially have accessed personal data from nearly 430,000 of the airline’s customers and staff, the Office estimates. Some 40,000 took up the airline’s offer of a credit check and management service.

Although British Airways sought to highlight the sophistication of the attack, the Office dismissed this excuse. “The attack in this case was not of such a degree of sophistication as to negate [the airline’s] responsibilities for securing its system,” it says, adding that the attack’s being a criminal act does not alter the company’s obligations.

Investigators have concluded that British Airways should have identified weaknesses in its security and resolved them with measures available at the time.

Even the reduced fine is the Office’s largest to date, and information commissioner Elizabeth Denham says the failure to act was “unacceptable”.

“People entrusted their personal details to British Airways, and British Airways failed to take adequate measures to keep those details secure,” she adds.

British Airways has since made “considerable improvements” to its IT security, the Office states.

But it also points out that the breach was noticed by a third party, and “it is not clear whether or when” the airline might have identified the attack itself.

British Airways states that it is “pleased” that the Office recognises its security enhancement efforts, as well as its co-operation with the probe.

“We alerted customers as soon as we became aware of the criminal attack on our systems in 2018 and are sorry we fell short of our customers’ expectations,” it says.