British Airways: ICO £20m penalty notice for information security breaches

This contains some useful insights, albeit heavily redacted, for managing security in professional firms into the security breaches which gave rise to the loss of personal data. They include failure to use multi-factor authentication, failure to address known Citrix security issues, failure to apply user access management (the principle of least privilege) and failure to implement application whitelisting or blacklisting. Other measures which could have been implemented included penetration testing and logging access to certain files, monitoring of failed log in attempts and monitoring of guest accounts.

See here.

‹ Back to News