The UK’s Information Commissioner’s Office (ICO) has finally done what it’s been threatening to for a while and levied enormous fines on British Airways’ parent International Consolidated Airlines (£183 million) and Marriott Hotels (£99 million). While subject to appeal, these are the first signs of how the ICO now has real teeth and is prepared to use them. The question is, what lessons can we learn from this?
Well, firstly, we can observe that card payments aren’t optimised for the internet. The BA breach looks like it was at entry point – i.e. it wasn’t that the data was breached while stored in a database but that someone managed to get hacked software to intercept payments in flight and capture the details. The point here, of course, is that the paradigm of giving your card details to the merchant so they can pass them to your issuer originated in the 20th century when we didn’t have a choice. Now, given that we have this internet thing it makes more sense to contact our issuer directly and tell them to pay the merchant. Realistically, this may be the only way we can be sure merchants won’t lose our card details – don’t give them to them.
This points to push payments a la PSD2 APIs. But given that these won’t be pervasive for a while then the next best option is to tokenise cards to either limit their use to a single merchant or even a single transaction. Both of these are areas we’re seeing lots of interest in, and ought to be high on the agenda of heads of IT security and payments everywhere.
Secondly, we can note that static credentials are a sitting target. Seeing email addresses and passwords breached opens up companies to all sorts of horrible consequential damages under GDPR – let’s face it, most people reuse the same combinations across multiple sites so a breach on one site can lead to exposure on another. Any company relying on static credentials should basically assume they’re going to get some level of breach.
Fixing this requires two factor authentication and we have a ready-made, state-of-the-art, solution here in the EU. PSD2 SCA is about as strong an approach as you could ask for and we have banks and authentication providers drowning in relevant technology. There simply is no excuse for a company using static credentials if they get breached. We’ve been working closely with providers to look at how to take these solutions into the wider authentication market, because there’s been a certain inevitability about the way a lot of companies have dealt with their data breach protection.
Finally, note that the point that BA have made – that they haven’t seen any impact due to their breach – needs to be quantified: “yet”. Hackers tend to sit on breach data for 18 months before using it, waiting for the identity protection schemes that are often engaged post these events to expire. GDPR allows affected companies and individuals to sue – up until now the costs of a data breach have been borne by banks having to deal with fraud and issue new cards and consumers having to sort out identity protection. The ICO fines may yet be just the be tip of a very expensive iceberg as GDPR ensures that the costs more appropriately allocated to the offending parties.