GDPR fines on Marriott and British Airways : What can we learn?

by

While data protection & privacy are well-worn concerns for organisations and individuals alike, GDPR implementation remained a challenge. If there was ever any doubt that regulators would enforce GDPR, the Information Commissioner’s Office’s decision to fine British Airways £183 million ($230 million) following the 2018 data breach will surely put that to rest.

The ICO’s statement of intent explains that the airline’s ‘poor security arrangements’ made more than 500,000 of its customers victims of a data breach, wherein login details, payment card information, names, and addresses were stolen. Hacking group Magecart exploited a classic application security vulnerability and likely pulled off the heist by identifying a poorly secured third-party Javascript component on the company’s webpage and injecting their own code to route users to a fraudulent page that siphoned off their personal details.Details here.

This was not necessarily a sophisticated attack – rather, a welcome challenge for hackers to exploit a well-known application security vulnerability within a poorly governed IT infrastructure. “Actual expenditure on technical solutions and staff time to implement the right security to prevent this will not have been near a nine-figure sum like the fine,” Eerke Boiten, professor of cybersecurity at DeMontfort University says.

But not all data breaches are created equal. When Marriott failed to conduct sufficient technical due diligence when acquiring Starwood Hotels and Resorts in 2016, it unknowingly incurred a data breach which had been undetected in Starwood’s database since 2014. Starwood’s guest database was compromised by bad actors duplicating, encrypting, and working to erase personal data of guests. Hotel chain Marriott is now facing a £99.2 million ($120 million) fine from the ICO for GDPR violations.

With so many moving parts of an acquisition, completing rigorous technical due diligence is often taken for granted. While a company’s financials are easy to objectively evaluate, IT assets and risks are more cumbersome to assess. “I don’t think there is an ideal process, and maybe that’s part of the problem,” says Jeff Pollard, VP and principal analyst at Forrester. Acquirers can typically only make guesses as to what IT risks and opportunities they’re inheriting, but as software is ever more a key factor in a company’s valuation, buyers should insist on more objective technical due diligence. The same concept applies to technology assets received from third-party suppliers. After all, you are what you eat.

It’s worth nothing that neither British Airways nor Marriott were actively involved in any wrongdoing. They did not overtly breach any rules – rather, they fell victim to their own substandard application security & GDPR arrangements. Keeping on top of data protection and GDPR is no small task – especially when businesses are continually evolving the services offered to customers. But the consequences of adopting a reactive rather than a proactive approach to application security and the integrity of IT infrastructure can be in the millions. High time for these organizations to proactively leverage Software Intelligence to ensure application security and data protections are built-in their software.

Filed in: Risk & Security
Get the Pulse Newsletter  Sign up for the latest Software Intelligence news Subscribe Now <>
Open source is part of almost every software capability we use today. At the  very least libraries, frameworks or databases that get used in mission critical  IT systems. In some cases entire systems being build on top of open source  foundations. Since we have been benchmarking IT software for years, we thought  we would set our sights on some of the most commonly used open source software  (OSS) projects. Software Intelligence Report <> Papers
In our 29-criteria evaluation of the static application security testing (SAST)  market, we identified the 10 most significant vendors — CAST, CA Veracode,  Checkmarx, IBM, Micro Focus, Parasoft, Rogue Wave Software, SiteLock,  SonarSource, and Synopsys — and researched, analyzed, and scored them. This  report shows how each measures up and helps security professionals make the  right choice. Forrester Wave: Static Application Security Testing, Q4 2017  Analyst Paper
This study by CAST reveals potential reasons for poor software quality that  puts businesses at risk, including clashes with management and little  understanding of system architecture. What Motivates Today’s Top Performing  Developers Survey
Isabelle Arnson
Isabelle Arnson Business Development
Isabelle is a Business Development professional for CAST UK. She recently graduated from St Andrews University in Scotland with a degree in Management and French. Before heading to St Andrews, Isabelle held several positions in France and attended the Seoul National University in South Korea. She now uses her international pedigree to further the mission of Software Intelligence.
Load more reviews
Thank you for the review! Your review must be approved first
Rating
New code

You've already submitted a review for this item

|