To Fine, To Serve

Unless you have been stricken with memory loss, brainwashed by positive corporate messaging, or otherwise impaired, you will no doubt recall last year’s announcement that British Airways had lost a truckload of customers’ data which we covered in one of these missives and also updated as the numbers ebbed and flowed.

In our update we said, and this was hardly at the Nostradamus (you should see his predictions for this year which include earthquakes in America in July) spooky end of the spectrum: “Is that the sound of a brand new pair of GDPR branded rubber gloves being applied? Time will tell.”.

So it comes as no surprise to us then that British Airways has been served with a massive fine of £183 meeelion. There can be no doubt that Elizabeth Denham, the Information Commissioner, has had her claws sharpened and strengthened in the GDPR forge and is just starting to press them into catching and torturing big rats.

The Information Commissioner’s Office (ICO) has also announced its intention to fine Marriott International nearly £100 meeelion, not a bad week at the office. At this rate the ICO could be in the FTSE100 before too long.

As anyone who knows anyone that works for BA, especially flight crew, including pilots and cabin staff, BA has been drastically cutting costs, putting a lot of pressure on the staff. Many cabin crew have had to take second jobs to cover their costs. One can only wonder who will end up paying the price for this total incompetence? It is unlikely to be the Chief Executive, especially if we look at what has happened to other chiefs that presided over enormous breaches such as Dido Harding at Talk Talk and Marissa Mayer of Yahoo.

According to the very vague details available, the money raised from these fines “goes back to the treasury”, although the ICO is exploring ways to retain some for legal costs.

You can bet they will be strongly challenged by both BA and Marriott in court cases that will either be settled for a fraction of the announced gargantuan fines or drag on in the courts for ages. As with most things, the only surefire winners are the Lawyers, many of who, in an ambulance-chasing manner are approaching BA breach victims in the promise of compensation. Is it too late to cross train to the legal profession?

There are a growing number of security types who are suggesting that it might be a good idea to force the culprits to invest a percentage of the fine in improving security. If that could actually be enforced, it wouldn’t be a bad idea, and who would make da monies then? Step forward the IT Sales professionals complete with perma-tans and large watches.

You will recall that the BA breach was attributed to the Magecart hacking outfit. Magecart got their name because of their abuse of the popular Magento Web payment system, which has had more bugs than all the contestants of I’m a Celebrity combined, possibly more than WordPress, slightly less than Adobe but nowhere near as many as Microsoft (see below).

We talked about vulnerabilities in Magento in October 2016 and again in February 2017. Amongst our advice was:

The most useful tip for providers using Magento is to check the status of their online presence using a free online service at: www.magereport.com. You could even use this tool to check the status of a boutique store you may be thinking of using, if you were an untrusting cynic like us!

We know some people who probably should have read that don’t we?

If you use Magento, or use sites that do (see above), you really need to be on your toes and continuously assess the status of you Internet-facing estate. The razor sharp advisors at ITC can help you do this, and keep doing it to protect your user data. If you would like some help, please contact us at: [email protected] or call 020 7517 3900.

Now, moving onto this month’s Microsoft bug bashing fest that is Patch Tuesday. Microsoft has patched the usual gazeeelion bugs, however one of them, a bug in all versions (pretty much) of DHCP server that enables full takeover of a server with a single crafted packet is very, very scary and believed to be in the wild. If you want the low-down, pop over to the hallowed halls of the esteemed B. Krebs Esq, who has given the patches the once over.

You all know what you should be doing, preferably before you settle down to the Wimbledon Tennis finals and of course the Cricket World Cup final.

Fingers crossed for England.