GlobalSign Blog

14 Nov 2018

How Well did British Airways Handle Their Data Breach? A GDPR Case Study

In September 2018, leading airline British Airways announced that it had suffered a data breach and that customer data had been lost. The company released details that the theft had occurred between 21 August 2018 and 5 September 2018, and that as many as 380,000 transactions had been affected.

This breach is important not just because of its size and the obvious affect it will have on the people whose data has been compromised, but also due to the fact that is one of the first large instances of data loss since the introduction of the General Data Protection Regulation (GDPR). The GDPR came into force in May 2018, providing businesses with a modern framework to understand their requirements surrounding data protection, as well as improving the range of powers available to regulators and increasing maximum fines.

Here we will take a look at how well BA handled the data breach, whether they acted in accordance with the rules of the GPDR, and what the potential outcome could be.

What Happened?

The chief executive of BA described the breach as a ‘malicious criminal attack’ although specific details of how data was stolen has not been released by the company. Taking place over 15 days, the breach was related to bookings that were made over the period. Personal and financial details were compromised; however, no passport information or travel details were lost.

Cybersecurity experts have suggested that hackers were able to carry out an attack that is something akin to a digital version of skimming, where data was copied as it was entered into the system during the purchasing process.

How Has the GDPR Changed Things?

Of course, before the introduction of the GDPR there were plenty of examples of authorities placing large fines on even larger companies for failing to adequately protect data. Perhaps the closest example of GDPR-style fines came in 2016, when messaging platform WhatsApp was fined €10,000 per day for failing to comply with Dutch regulations on data control.

Ultimately, the GDPR was introduced to provide regulatory bodies with greater powers to enforce fines for breaching data protection issues. Not only has the introduction of the GDPR increased the maximum amount that a company can be fined following a data breach, it has also made it easier for these fines to be genuinely processed and collected.

Did BA Act Appropriately?

It is important, then, to establish whether BA acted within the rules of the GDPR to understand what the business can expect in the way of fines and other punitive measures. The GDPR stipulates that organisations must report a data breach within 72 hours of becoming aware of it. BA managed to announce the data breach within a day of discovery, as well as providing specific details of who had been affected, and the kind of data that could have been compromised.

Nevertheless, the company suffered a hack, and this could be taken as a sign that they had not taken adequate precautions to protect their customers’ privacy data.

A Test Case for the GDPR?

Perhaps what is most interesting about this case is that it is one of first truly high-profile data breaches suffered by a large company since the instigation of the GDPR. This means that many organizations will be taking a look at the kind of fine that they can expect if they were to suffer something similar – a test case for the new regulations and how they are enforced.

Some have suggested that an example will be made of BA, to show organizations that they must start taking their cybersecurity seriously. On the other hand, BA acted in accordance with the guidelines of the GDPR in terms of keeping customers informed. The regulatory bodies have a responsibility to be reasonable and fair.

How much could BA be fined?

Theoretically, BA could be fined as much as €20 million or 4 percent of their global turnover – whichever is higher (and in BA’s case this would be the global turnover figure). However, in terms of a data breach, this isn’t a truly huge-scale or catastrophic data loss. Some industry figures have suggested that the fine could be somewhere between €5 million and €10 million.

The largest fine that has ever been issued by the Information Commissioner’s Office (ICO) was £500,000, so it will be interesting to see whether the company will face higher fines. And of course, on top of the fines, any person who was affected by the breach could potentially be eligible for compensation from the firm, so it could ultimately end up being extremely expensive.

About the Author

Mike James is an independent writer, tech specialist and cybersecurity expert based in Brighton, UK. Published in many of the leading online and print magazines, he is a featured writer on Ethical Hacking, Penetration Testing - and how best these technologies can be implemented to businesses of all shapes and sizes. Mike also writes about the odd recipe and exercise regime, when not on the geeky stuff!

Note: This blog article was written by a guest contributor for the purpose of offering a wider variety of content for our readers. The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of GlobalSign

Share this Post

Write for Us

Apply Now

You might enjoy:

Lessons in Digital Transformation from a DPO Post-GDPR

GDPR Regulations and What It Means for Your Business Data