GDPR in the US: After the British Airways Hack

Illustration: GDPR in the US: After the British Airways Hack - Authentic8 Blog

British Airways (BA) announced in September that it had fallen victim to a hack that affected the personal data of 380,000 passengers. The BA hack could be the first prominent test case for the European Union’s General Data Protection Regulation (GDPR) that went into effect in May.

How has GDPR impacted U.S.-based companies so far? Are they prepared for EU regulators cracking down on cross-border data protection failures and privacy violations? The BA attackers exploited a third-party vulnerability in the airline’s digital supply chain, taking a path we recently examined on this blog. What are the lessons to learn from the British Airways data breach?

On our Silo Sessions podcast, Authentic8 Co-founder and CEO Scott Petry discussed these questions as part of his ongoing GDPR conversation with Steve Durbin, Managing Director of the Information Security Forum (ISF).

P.S.: This Silo Sessions episode was recorded before the disclosure of the latest security breach at Facebook, a theft of login access tokens of 30 million users and of personal identifiable information for 29 million of them. CNBC reported that the Facebook hack affected three million European users. (From across the Atlantic, you could almost could hear the sighs of relief in BA's boardroom.) Facebook's handling of the breach could result in a fine of up to $1.63 billion under GDPR.

This conversation was edited to fit the blog format.

*

Scott Petry: Leading up to last May’s GDPR deadline, we were talking specifically about why American companies need to prepare for GDPR and how to think about it. You used an example of the travel industry and were talking about users that might be mobile in different locations or going about in different places but their data still being under the umbrella GDPR.

Just recently we've learned that British Airways had a data breach of a bunch of their passenger user data and they might be the first to get hit with a fine following the GDPR regulations.

Steve Durbin: Yes, who'da thought. Nobody wanted to have that position - number one under GDPR. British Airways, unfortunately, has certainly captured that spot. It was a very big breach, 380,000 users - very confidential, very sensitive data, financial information, email-based information… It checks a lot of the GDPR boxes about personally identifiable information. It's exactly what GDPR was written about.

BA hack “exactly what GDPR was written about”

There’s a lot of speculation as to how it came about, but it'll be a while before the forensic investigation is complete. Industry pundits are looking at this from a number of different angles.

The first is really to understand the technicalities of it. What exactly happened? How did it go wrong for British Airways? And how can they and other organizations learn from that?

Secondly, the really big one: How is the Information Commissioner going to react? What kind of fine can British Airways expect?

I also saw some law firms looking to get in on the act, threatening class-action suits, which we haven't seen so much in the UK before. It’s much more common in the United States. So that'll be something of a first if it comes about. But we'll have to wait and see.

Scott Petry: Do you have any sense on the British Airways issue as to whether there's a harder look at the exploit itself or is there a deeper internal look now in the GDPR context, or is it too soon to say?

Steve Durbin: Two comments on that, Scott. I think that, from what is coming into the public arena at the moment, it looks very much as if this attack was well thought through, premeditated certainly.

There is talk about it being related to supply chains and attacks via code third-party code or legacy code perhaps - highly sophisticated, highly planned, and exploiting an area that I personally think a lot of organizations out there are going to be looking at, because it raises this whole issue of how do you preserve the integrity, the security of code if you haven't developed it yourself, if you have outsourced, or if you've used plugins.

The bad example set by Equifax

So the big question in that particular space on the technical side affects the other piece that I think is very interesting for me personally and also from the industry standpoint, because I've been caught up in the British Airways breach as an individual - as indeed I was with Equifax a while back, and a number of others…

Scott Petry: ...join the club, my friend…

Steve Durbin: ...you know, my personal data is out there. If anyone's trying to sell it, they really have no value. [Laughs.] If you don't already have it, then what have you been doing?!

But the issue around this is that GDPR requires some very clear steps to be taken once a breach has been identified. You need to be notifying within 72 hours. I was notified very, very quickly on this one.

I compare that with Equifax. I think with Equifax there was a two to three-month lag. British Airways was on it within days. More importantly, they obviously had worked with the third-party credit card companies and so on. I also got messages straight through from those as well, so that was a very well coordinated response. They have kept people up to date.

I have had multiple emails from British Airways, informing me of what they've been doing and what I need to do. They have called in the different authorities. They've informed the Information Commissioner. They have informed passengers and people who've used their website, what steps they're going to be taking in order to reimburse them, so that nobody is out of pocket.

High grades for BA’s timely breach response

From a breach response standpoint, I think British Airways has done a good job. Yes, they will be criticized. Everybody is going to be criticized when a breach happens. But I think that as far as following the process is concerned, you would have to say they scored very, very, very high. But we'll have to see how the Information Commissioner views it later on.

Scott Petry: Steve, I won't ask you to speak on behalf of British Airways, but you draw a really excellent contrast there with the mishandling by Equifax, and British Airways’ efficient handling of the breach and coordination with the downstream partners as well.

Do you think that's just British Airways nature? Or do you think their response is precipitated by the fact that there are new regulatory requirements for them?

Steve Durbin: I'm a big fan of GDPR, as you know, Scott - we've we talked about that before. I think one of the benefits of the regulation is that it does set out clearly what it expects people to do in the event of a breach.

Nobody imagined it was going to prevent breaches. What it was trying to do was to heighten the level of awareness of how such a breach would be viewed, from a seriousness standpoint, and to make sure that people have the processes in place to respond effectively.

There were clear guidelines within the regulation, and I think that we can see some of that being brought into play by British Airways.

Scott Petry: I'm a big fan of GDPR as well - no surprise, we talked about this last time. I think the idea of a framework for proper handling of user data and what to do in the event bad things happen is good.

But I thought that the bigger beneficiary would actually be the user, who under GDPR has the right to understand what's going on with companies’ data. We'll get into that in a minute.

Will GDPR be a boon for law firms in Europe?

I wanted to use that transition to talk about other potential beneficiaries of GDPR that you made reference to in the BA conversation, and that’s law firms. The circling is already starting with respect to the British Airways breach.

Does the litigation side have a bigger impact here? Is that something that we're going to see play out in the courts, or do you think those things will just get settled, and it'll be back to business?

Steve Durbin: I think it'll take a very brave organization to end up in court. Nobody wants to end up in court, because you never know how that's going to pan out.

The interesting thing for me - and for many other people, I think - is how you really prevent some of these breaches from happening in the first place. What British Airways in particular has been at pains to point out is that none of their users will be disadvantaged.

I think that if it were to get into a legal situation, that would then be taken into account. How much has the airline done already to recompense users for inconvenience, for loss of information, and all of the different elements that are mentioned by GDPR?

I don't think litigation is the way to go. I would like organizations to really step up and do the right thing. From what we've seen, I think in this particular instance all the indicators are that that will be the case.

Scott Petry: GDPR, as we know, is about the privacy of the EU citizens. But it affects US companies the same, if they have employees in the EU or if they have European employees or customers, even if they're not located in the EU.

How prepared are US companies for EU privacy regulators?

So it's muddy, but US companies are certainly liable, given the regulations. We talked about the level of preparedness of American companies leading up to the May deadline. Where do you think are US companies on the preparedness scale now?

GDPR Update: After the British Airways Hack - Scott Petry, Co-founder and CEO of Authentic8 in conversation with Steve Durbin, Managing Director of the Internet Security Forum (ISF)

Steve Durbin: I think it is still making its way through. My experience with American organizations is that they have stepped up. They have put in place some of the response mechanisms. They do have some of those processes.

I don't think that there are many organizations actually that today could put a tick in every single box and say, “we're there a hundred percent.” I think that most organizations, though, do have a route map that they're following.

I look at my own organization. We're small. And we still are resolving some of the issues around sharing employee personal data with third parties - issues like medical healthcare provider data and so on - and making sure that we're comfortable with the way in which that data is handled.

Breaches of the nature we've just been talking about just reinforce that point. So I'm sure it's going to be a question that is being asked in boardrooms up and down the country. What if it was here? Would we've been able to respond and what would the impact have been?

Scott Petry: Your organization deals with a lot of US companies. As you talk to those companies, do you see companies that might be offering technology solutions and might have a service or an application that would be governed by GDPR - acting differently than a company that might have employees or customers in the other region, but might be in a more traditional line of work?

Has GDPR hit home for all industries, or is it still being led primarily by technology companies?

The third-party stumbling block for data protection

Steve Durbin: I think one of the things that everybody has struggled with is trying to understand how much data they actually do hold, and where it is at each and every stage of the life cycle..

I think that technology helps in that space to identify that information. If you're a more traditional organization, that might be a little bit more difficult. It raises this whole issue - for me, anyway - of third parties, the supply chain, and how data is being shared.

That has been, I would say, something of a stumbling block for many organizations. And I think that the younger, more technically enabled organizations have had a bit of a head start.

Scott Petry: A lot of the data that is shared, exposed, processed, analyzed et cetera is handled using a browser. We've seen a couple of incidents recently, with Google and some of the extensions for its browser. Also, the most popular app in Apple’s App Store was stealing browser history data and sending it back to a server in China.

So a lot of this browser data is moving around in ways that we don't necessarily know as well. Have you seen any impact post-GDPR where companies reassess how the browser is
used and how they survey or supervise what employees are doing in the browser?

Steve Durbin: Not as much, to be quite honest, Scott. I think if you are capturing personally identifiable information in any way, shape, or form - then, of course, GDPR applies to it. This really does bring the technology companies - you mentioned Google and Apple - to the forefront of all of this. I was pretty encouraged to see that Apple had taken down a number of apps from the App Store. I think it was Trend Micro that lost out in that one in particular. For me, this is the kind of responsible behavior that, I think, is going to become the norm.

Responsible behavior - a new norm for Big Tech?

I think one of the interesting things here is that user expectation, our expectation of what we're looking for technology providers to do is to really step up and say, “look, we are on top of this, we are scanning, we are applying the right controls, and if we do find any apps that are not behaving as they should, we will do something about it.” How you stop it happening in the first place, that’s an entirely different issue.

Scott Petry: Maybe review your app a little bit better before you publish it… Yes, Google also removed the apps in question from the app store and sent notifications out to customers as well, and that's great.

Look, it's unfortunate that a regulatory framework or legislative guidelines need to be put in place. But the net result is positive. It feels like there is a post-issue behavior change with some of these examples we've spoken about, and that's what GDPR set out to do - so this is potentially encouraging.

Sticking with the browser, there is certainly some aspect of personally identifiable information in browser logs, which means it's potentially information covered by GDPR. But there's also a belief in the EU that employees have any right to browse - a right to get access to the public
resources on the internet for them to maintain their work/life balance, even though they're using work resources.

I think the laws have interpreted the situation differently in the US versus the EU. In the US, the organization can define how the asset is used if it's a corporate asset. In the EU, it's a little less clear. Have you seen any greater attention spent on the policy side? Should we be logging what users are doing, can we be logging what users are doing on the web when they're using a browser from their work location?

Employers “keen to demonstrate transparency”

Steve Durbin: I’ve certainly seen some organizations revisit policies in that space and it comes back to this transparency piece. I think one of the things that employers are keen to do is to demonstrate that there is transparency.

There has been a review by many organizations of “what are we saying in this place, how are we conveying that message to our employees, how are we making clear to them what’s acceptable and what is not.”

And on the other side: “Are we listening to what it is that the employee expects to be able to do in the course of their daily work?” That is a hugely important component as well. It goes straight to the heart, I think, of the employment contract.

Scott Petry: Yes, we've certainly seen more awareness in organizations that have other forms of sensitive data - whether it's medical organizations or financial services organizations. But I think it's a little bit early to say what the broader trends are going to be. You mentioned transparency though. Talk a little bit about that.

Steve Durbin: Yes, I think the GDPR was pretty clear in that as a user, you have a right to understand how your information is being used. You have a right to agree to how that might happen, and you have a right to understand how an organization might be using it. And if you so choose, you may ask that information to be removed, and the organization that has been holding it then has to demonstrate back to you that that has happened, unless they have a lawful right to that information.

Uptick in GDPR Subject Access Requests

So the subject access request is a very simple process for an individual. Have we seen an increase in those? We’ve seen an uptick more out of interest rather than anything else, I think. There has been an increase in subject access requests for some, but the GDPR also does say that there must be valid reasons fulfilling one of these things. You can't just submit one it because you're a disgruntled employee, for instance.

I've been talking to a number of organizations that have had to remove personal data. They tended to be more in the online marketing, digital marketing or sales type of environment - organizations, I would say, that probably didn't really clean up their databases well enough beforehand.

As you said, most of the organizations that are out there sending out information are at pains to ensure that they have positive consent to the use of data, so that's been a big change that we've seen.

Scott Petry: Yes, many of these organizations are thinking about it in a global context. You may have an IP address that's local, but I can't be sure who you are, where you’re coming from, or where you're coming from or where the jurisdiction is.

Steve Durbin: It's the safest thing to do, and it's becoming good practice. And I think that's a good thing, exactly.

Did GDPR really register with consumers?

Scott Petry: I'm now quoting UK-based Marketing Week. Not necessarily the expert on GDPR, but they had a story that was titled “GDP three months on - most consumers feel no better off”, which I thought was interesting, if a little bit contrarian. But I wonder what your take is on that. Do consumers feel better or worse or the same?

Steve Durbin: I think for a lot of consumers, there's been no real change. Why would there be? GDPR comes into its own when we see breaches like at British Airways. That's when consumers really understand some of their rights.

In the normal scheme of things, if everything's working smoothly, I don't think people do tend to notice too much. It probably takes something to go wrong before they become aware that actually they've got some other protection that they didn't have before. And so they
can make use of it. But I don't think that GDPR was really geared towards trying to create a sort of a shock wave across consumers - “wow, we know we've suddenly got all this new power.”

Scott Petry: I think you're right, and I agree with you. I really liked the user-centric view of GDPR: that the company that held the data, was the steward of the data, had to answer to the user.

Outlook: Big steps towards global privacy law

Now, that didn't mean that the user would actually ask. It just meant that the organization had to be prepared to do it and that there was a legal framework requiring them to be able to manage it. There's a fellow Dark Reading contributor, Tim Critchley, who called GDPR “a catalyst for a much needed global all-encompassing data security and privacy law.” That sounds very idealistic, but I don't know... - how far in your estimate are we down that path?

Steve Durbin: I think we've we've taken some pretty big steps down that route. I was in Singapore recently. In response to the GDPR, they have developed some very advanced privacy regulations over there, which cover a number of the areas that GDPR is covering. India would be another example. Down in Australia... - Australia has been a little bit slower to look at
privacy in the way that the Europeans do - but that certainly has changed of late.

In the United States, of course, we've got what's been going on in California. So I think GDPR has been something of a global catalyst, because it has such far-reaching implications and it does have some pretty sharp teeth for the regulators. That marked a significant change.

Scott Petry: When we spoke in February, we were talking about GDPR not being like the Y2K bug. That was the transition from 1999 to 2000 where many information processing systems weren't able to calculate their stored date information. But it was the kind of thing where, when January 1st passed and your app was still running, you were good to go.

GDPR is not like that. And I will say, I'd love to speak with you again in six months and check in and see how things are developing. Thank you for joining us, Steve - always a pleasure to speak with you about GDPR.

We have put up a website with GDPR resources, even GDPR resources that might be relevant in a post-May GDPR deadline world, at authentic8.com/GDPR. Steve, why don't you give a pointer back to ISF?

Steve Durbin: A lot of the things that we've been talking about are available for reference on our website. It's www.securityforum.org, and I can be contacted through our website as well.