Page 11 - IMDR Journal 2025
P. 11
Research Article
September 5, 2018. About 380,000 people had their personal nor BA used multi-factor authentication (MFA) on the
and payment info stolen. This included names, addresses, accounts targeted by hackers. NIST emphasises MFA as a
emails, credit card numbers, expiration dates, and CVV critical enhancement beyond passwords alone. Additional
codes. No passport or travel details were leaked. Hackers protections, such as endpoint encryption and secure coding,
first broke into the system of Swissport, a company that were also lacking. For instance, BA’s decision to log plain
worked with British Airways. They used that access to put text credit card data for convenience (a human error noted by
harmful code into the BA app and website. This code sent the ICO) represented a failure of protective design. SFO’s
customer payment info to a fake website. British Airways websites had no secure web gateway or anti-malware filters,
didn’t notice the attack right away. A third party informed allowing injected scripts to operate undetected.
them on September 5. They removed the bad code within 90 ● Detect This function pertains to identifying cybersecurity
minutes of finding out. BA then told the UK data regulator events promptly. Both organisations failed to detect the
(ICO) and warned affected customers. They were criticized intrusions in real time. At SFO, the malicious code remained
for the breach, and their stock price dropped. The media also on the sites long enough to steal credentials before anyone
heavily criticized the company. noticed. BA similarly did not realise its systems were
About the breach, the ICO finally assessed BA with a 20- compromised until notified by an external party almost two
million-pound (1/4 of its suggested fine of E183 million weeks into the attack. This delay meant attackers had
(1.5% of its included revenue in 2017). The incident of BA is unrestrained access for an extended period. Effective
argued to be among the biggest ever airline data breaches, intrusion-detection systems or real-time monitoring
which signifies a material weakness related to its web (components of the NIST CSF Detect function) were
security and governance for a long time. insufficient or inactive in both cases.
These incidents are examples of an increasing trend: airlines ● Respond Once a breach occurs, the ability to contain and
and airports become a desirable target of cybercriminals mitigate impact is key. Both SFO and BA reacted reactively.
because of the IT systems they currently have and use, and Their incident response teams were reportedly under-
the data they contain that could be valuable. In both the SFO equipped and undertrained. For example, BA officials were
and British Airways cases, hackers took advantage of weak slow to identify all affected customers and did not publicise
security. They used the time they had after stealing data to do details promptly. NIST recommends clear communication
more damage. These attacks shook customer trust and plans, roles, and procedures for incident handling. BA’s
forced both companies to take urgent action. Looking at response, which involved late notification to regulators and
these events helps us understand the need for stronger customers, showed that such plans were either absent or
cybersecurity. poorly executed. SFO had to scramble to remove malicious
Analytical Frameworks code and reset credentials, indicating they lacked a fully
developed response plan.
Understanding Cybersecurity with the NIST Framework
● Recover After incidents, organisations should restore
The NIST Cybersecurity Framework (CSF) is a guide to systems and learn from failures. Both breaches caused
help protect important systems.
entrenched reputational damage. Recovery for BA involved
It’s not mandatory, but it helps companies manage risks. regulatory fines and an extensive PR response. The negative
The framework has five main steps: publicity was “widespread and entrenched” (especially for
BA). NIST’s Recover function would suggest formally
● Identify – Know what needs protection.
updating recovery plans based on lessons learned. BA did
● Protect – Put security in place. revise some practices (e.g., removing stored card data) after
● Detect – Spot when something goes wrong. the breach, but much of the damage to customer trust
remained. In short, recovery in terms of regaining goodwill
● Respond – Act quickly to fix it.
was costly and only partially addressed.
● Recover – Get things back to normal.
In summary, each NIST function reveals shortcomings. If
When we look at the SFO and BA breaches using this guide,
SFO and BA had fully implemented the CSF, they would
we see problems at every step. have conducted rigorous risk identification and protective
● In the Identify stage, both companies didn’t fully know controls (such as MFA and secure coding), enabling faster
which systems or data were at risk. They also didn’t find the detection of anomalies. NIST’s emphasis on a “common
weak spots before the hackers did. Neither SFO nor BA had language” and regular updates means organisations should
fully identified all critical assets or potential vulnerabilities continuously improve defences as threats evolve. he
before the breaches. For example, BA had not updated an old security breaches at San Francisco Airport (SFO) and
JavaScript library on its website, leaving a known exploit British Airways (BA) show that the NIST Cybersecurity
unaddressed. Both organisations lacked a thorough Framework (CSF) was either not used or not used properly.
inventory of their online assets and did not recognise this That’s likely why the attacks were not noticed in time.
weakness, indicating a failure in the Identify function. ISO/IEC 27001 and the Information Security Management
● Protect This covers safeguards like access control, There’s another system called ISO/IEC 27001. It’s a
encryption, and security best practices. In both cases, basic standard way for companies to protect their important data.
protective measures were absent or inadequate. Neither SFO It works from the top down, meaning leaders are involved in
2
