July 9, 2019

BA fine: High GDPR fines could become bragging rights for hackers

By Robert Scammell

The record-breaking £183m fine issued to British Airways (BA) is the General Data Protection Regulation (GDPR) in action, both as a punishment and a deterrence for lapses in cybersecurity.

The UK’s data regulator, the Information Commissioner’s Office (ICO), issued the notice to BA for “poor security arrangements” that resulted in cybercriminals stealing the personal and payment details of some 380,000 customers in September last year.

It is the first time the ICO has issued a fine under the tougher EU rules that came into force in May 2018, making BA something of a GDPR “guinea pig”.

But could such eye-watering GDPR fines have the unintended consequence of providing additional motivation for cybercriminals to target large companies – acting as a faux-trophy in underground hacking communities?

Why hackers hack

First, it’s worth considering why someone might carry out a cyberattack. The overwhelming majority are financially driven, with a 2017 Verizon study finding this was the leading motive for hackers. In some cases, they are politically motivated – perhaps orchestrated at a nation-state level – while espionage is also a driver.

Then there are hacktivists, such as Anonymous, who target a company for socially or politically motivated reasons. Others, such as the teenager found guilty of attacking TalkTalk in 2015, carry out cyberattacks to show off their skills.

Such a culture of ‘kudos’ is rife on the dark web, where bringing down a big company can act as a trophy. On underground forums, attackers are known to brag about their hacking exploits, building up a reputation – a portfolio for future opportunities.

“Reputation has predominately been a driving force in the ‘hacking’ community: from notoriety to trust, it all forms a basis for your future,” Jake Moore, cybersecurity specialist at ESET, told Verdict.

“If what you do cannot be backed up by exams or performance data, the hacking or underground community may have to rely on your past accomplishments and interactions to help secure future work.”

The notorious hacker known as ‘Gnosticplatyers’ is a prime example of this. Last month, Gnosticplayers contacted journalists to claim responsibility for the Canva data breach, in which they made off with the personal details of almost 140 million users of the graphic design platform.

BA fine: A brave new (GDPR) world

The British Airways fine has given everyone a taste of what to expect in a post-GDPR world – including cybercriminals.

Under previous legislation, the maximum penalty for poor data practices in the UK was £500,000. With GDPR, the maximum fine at the disposal of European data regulators is now €20m or 4% of global annual turnover.

Given that the BA fine was just 1.5% of its 2017 worldwide turnover, there is plenty of scope left for even heftier fines. For some of the more egotistical cyber attackers, this could be seen as a challenge to be responsible for inflicting the biggest GDPR fine on a company.

Malcolm Taylor, director cyber advisory at cybersecurity firm ITC Secure, has “no doubt” that large fines will “motivate some attackers to target big, well-known corporations”.

“They will take vicarious pleasure from launching an attack, harvesting data, and then watching the size of the fine,” he says. “Most attackers are in it for the money, but the perverse kudos they will feel (and get) is also likely to be a factor.”

He added that there could be particular glory in “being the attacker behind the ICO’s biggest ever fine”.

It is not difficult to image a black hat hacker wearing a GDPR fine as a badge of honour, perhaps even using it to boost their credentials to sell their services.

“The larger fines forced through GDPR is definitely a good thing,” says Moore. “It will force all company’s both large and small to look a lot closer at their security and invest wisely, but as with so many positive things, it could quite easily form a “Hacking Rich List” with different parties vying for the top position of greatest fines levied on well-known companies.”

Whatever the motivation, the lesson from the BA fine is the same

However, Joseph Carson, chief security scientist at cybersecurity firm Thycotic, doesn’t believe that large GDPR fines such as BA’s will do much to encourage cybercriminals to target bigger companies.

“[The] majority of cybercriminals are financially motivated and won’t waste time on making bragging statements unless it is used as a ransom demand to keeping it quiet,” he told Verdict.

In the case of BA, the motivation for the attack appears to be financially driven. Cybersecurity firm RiskIQ came to the conclusion that cybercriminal group Magecart was responsible for injecting a malicious script into the BA site to steal payment card information.

Matt Lock, director of sales engineers at cybersecurity firm Varonis, told Verdict that “Attackers are motivated by a variety of factors, and targeting specific organisations and putting them in the cross-hairs of the ICO as payback or to build their own reputation isn’t far-fetched”.

He added that regardless of an attackers motivations, it  “doesn’t, and shouldn’t, change the approach all organisations need to take when securing our personal information”.

For data protection officers (DPOs) and chief information security officers (CISOs), the BA fine justifies their warnings about large GDPR penalties, says Robert Wassall, director of legal services at cybersecurity firm ThinkMarble.

“I think that many DPOs have felt like ‘prophets in the wilderness’, preaching data protection to a sceptical audience,” he told Verdict. “Maybe they’ll find it easier to get ‘converts’ now!”

Read more: British Airways breach: Airline industry too lax on cybersecurity, experts warn