A data breach at British Airways should prove an interesting test case for the EU’s General Data Protection Regulation (GDPR), but it should also act as a wake-up call for businesses.
On 6 September, British Airways (BA) revealed that it was investigating the theft of personal data belonging to 380,000 of its customers. It is believed that the data included personal and financial details of customers using the airline’s website and app between 21 August and 5 September 2018.
The data breach is not the first cyber incident to trouble BA or the airline industry. BA suffered a major IT outage in 2017, grounding more than 700 flights, while IT problems also caused dozens of cancellations in July 2018. A number of other airlines have suffered IT glitches in recent years, while a cyber attack in September caused disruption at the UK’s Bristol Airport.
BA did not give details of the data breach, other than to say it was the result of a “sophisticated, malicious criminal attack”. The UK’s National Cyber Crime Unit is on site working with BA to gain a better understanding of the incident, as is the National Cyber Security Centre. The UK’s Information Commissioner’s Office (ICO) is also making enquiries.
While the cause of the data breach has not been disclosed, RiskIQ suggested that BA was the victim of a skimming attack, where criminals use malicious code to collect payment data as it is entered on an e-commerce website.
The cyber-security firm said that it found malicious code associated with a cyber-gang called Magecart on BA’s website, similar to code used to steal personal data from Ticketmaster earlier this year.
RiskIQ says Magecart have been operating web-based card skimmers since 2016. In the case of BA, Magecart appears to have deliberately targeted the airline, customising its attack to fit BA’s website setup and to avoid detection for as long as possible. The cyber security firm also believes that the hackers must have had access to BA’s site before the reported start date of the attack on 21 August.
The breach is one of the largest and most high profile to have taken place after the implementation of GDPR. The regulation introduced new notification requirements and tougher penalties for breaches, as well as enhancing rights for consumers and requirements for companies. Commentators have suggested that the breach is one of the first real tests of the GDPR, in terms of assessing a large company’s response to a data breach and calculating the potential fines.
For example, the GDPR requires companies to notify the regulator within 72 hours of discovery and inform affected data subjects without undue delay, which BA managed within 24 hours. Prior to the GDPR’s implementation in May, companies tended to wait months before revealing a breach of personal data - Equifax took three months to report its data breach in 2017.
The hack illustrates the immense pressure that companies – especially big brands like BA – come under when suffering a data breach. The company was quick to notify, but has been criticised in the media for the lack of detail made public even though the company was still investigating the breach, which is now considered a criminal investigation.
Under GDPR, data breaches can result in large fines – up to 4% of a company’s annual sales, which for BA is around GBP 490 million based on their 2017 figures. However, maximum fines are only intended for the most severe breaches of data protection rules and any fine would be based on whether BA had failed to adequately protect customers’ personal data.
Not all data breaches lead to a fine. Even if BA is found to be at fault, the ICO will consider various mitigating factors including; previous data breaches, measures taken to prevent security breaches and actions taken to limit the damage.
The BA data breach is actually relatively small – just 380,000 victims, compared with the 140 million for Equifax. However, the data breach took place under the GDPR regime and involved credit card data; factors that are likely to drive up the cost of the data breach.
In addition to the threat of penalties, BA is likely to face a number of significant costs including; the immediate costs of dealing with the breach and the cost of notifying and compensating customers. The airline, a subsidiary of International Airlines Group, has already offered affected customers a 12-month credit rating monitoring service and indicated that it will compensate customers that suffered financial losses as a result of the data breach.
Cyber incidents may also require increased resources to deal with customer complaints and enquiries. According to law firm Pinsent Masons, it is increasingly common for organisations to receive data subject access requests following a data breach incident. As a result, companies like BA will need to be prepared to deal with subject access requests in accordance with Article 15 of GDPR.
Fraud is another area where companies can incur substantial costs following a cyber incident – the recent IT outage at UK bank TSB resulted in a 70-fold increase in fraudulent activity. Both BA and the NCCU were warned of the risk of secondary fraud attacks, where opportunistic cyber criminals target the victims of a data breach.
LIABILITY AND LITIGATION
The airline will also face potential litigation, with at least two UK law firms looking to build group-action suits. SPG Law and Hayes Connor Solicitors are both registering claimants interested in claiming “compensation for inconvenience, distress and annoyance associated with the data leak”. Hayes Conner says it’s proposed no-win, no-fee group litigation action would seek expected compensation of £5,000 per person.
While BA is offering to compensate customers for financial damage suffered as a result of the data breach, Article 82 of the GDPR also entitles victims of a breach to compensation for non-material damage. Companies and their directors could also face claims from shareholders regarding the impact of a data breach on a group’s share price - shares in IAG closed 1.4% lower on news of the data breach.
BA could also face liability or litigation related to payment card industry costs - a number of UK banks have already cancelled and reissued payment cards. The breach is also thought to have compromised card security numbers (known as CVV numbers). Banks, credit card companies and card processors may seek to recoup the expenses of forensic investigation, as well as fraudulent losses and the cost of reissuing cards from retailers.
INVESTING IN CYBER SECURITY
Attacks like this inevitably raise questions about cyber security and the ability of companies to prevent data breaches and protect personal data. Airlines are under pressure to minimise costs and IAG has been criticised in the past for not investing sufficiently in technology. No organisation can be 100% safe, but boards will have to weigh-up the cost of cyber security against the risks, and look for ways to finance or transfer residual risk, potentially through cyber insurance.