Both British Airways and Marriott Hotels were hit with heavy fines this month, as millions of user’s personal information were exposed. The new ruling means the Information Commissioner’s Office (ICO) can now implement charges of up to 4% of the brand's yearly revenue or £20 million, whichever is more costly. With the GDPR law now being over 12 months old in the UK, the wheels have begun to turn in the GDPR world and brands are still failing to catch up to the regulations expected of them.
British Airways has been issued a £183.4M fine after the cybercriminal gang Magecart gained access to 500,000 customer records since June 2018. But how did they do this? The attack itself centred around the creation of a false British Airways website, which lured unsuspecting customers to login and expose their payment card details, addresses and travel itineraries.
BA themselves were ‘surprised and disappointed’ by the fine and have yet to appeal the ruling.
Unlike BA, the Marriott incident is a bit less linear. So far, we know that 500 million guest records were exposed and as a result, the company has been fined £99M in GDPR charges. A popular method of infiltration is through email cloning.
“This tactic is used in phishing in order to get malware onto a target network to then move laterally across all systems.” – Source
Unfortunately, security isn’t a done and dusted process. It’s continuous, as programmes wither over time, cyber criminals delve into different infiltration methods and brands fail to continually security test their site.
Hackers have a habit of going for big brands and so far, their methods are working. But what happens when they start targeting smaller brands with approaches that are known to work. Could your brand pay a £20 million fine in 28 days?
5 Ways to avoid a cyber attack & GDPR fine
- Security testing – Ensure your web testing agency is security testing with real users. Automated testing only skims the top of your website, whereas human testers delve deeper into your site to find any loopholes.
- Use Google – With Google you can search for copies of your site or slight variations of your site. Preventing any fake copies.
- Alerts – Set up alerts which inform customers when a user has logged into their account from a different IP address
- Two is better than one – a basic two-step authentication login is one of the simplest ways to increase security
- Updated – Make sure all your systems from email to in-store accounting are processed through modern programs. Not ones from the 80/90s.
Both BA and Marriott thought their site was secure but failure to update or check basic security measurements have resulted in hefty fines and a decreased amount of trust from their loyal users. Could your site withstand a hacking incident or the costly fine which follows?