British Airways could face a £500m fine for a major data breach

It was only a matter of time…

When the GDPR came into force on the 25th May 2018, we sat waiting for a tsunami of data breaches. There have been a series of notable cases – none as big the recent British Airways revelation.

Massive fine!

British Airways could face the maximum fine for their massive data breach. That is 4% of their global turnover, based on their revenue in 2017, they could be looking at a £500m fine!

How many people have been affected?

The data breach has affected hundreds of thousands of customers – approximately 380,000.

Update 25th October 2018

In a statement released by International Airlines Group (parent company of British Airways) yesterday, regarding the cybersecurity incident reported on 6th September.  IAG are stating that “77,000 additional cardholders are being notified of the breach of information including; name, billing address, email address, card payment information, including card number, expiry date and CVV have potentially been compromised, and a further 108,000 without CVV”.

For more information please review the full statement

What happened?

The customer’s data was stolen during the period of 10.58pm on the 21st August and 9.45pm on the 5th of September 2018.

Personal and financial details were stolen and British Airways have enrolled the National Crime Agency and the National Cyber Security Centre to find out exactly what happened.

British Airways made a statement:

“The breach has been resolved and our website is working normally,” BA said in a statement. “We have notified the police and relevant authorities. We are deeply sorry for the disruption that this criminal activity has caused. We take the protection of our customers’ data very seriously.”

Those customers that used the website online booking service during that period were notified by British Airways on Thursday the 6th September at 10 pm.

The apology…

British Airways apologised. “We are deeply sorry for the disruption that this criminal activity has caused. We take the protection of our customers’ data very seriously,” Alex Cruz, British Airways’ chairman and chief executive said.

British Airways created a customer data theft page with the following comments:

  • They are investigating the theft of customer data from their website and their mobile app from 21st August – 5th September
  • Personal data and financial details were stolen but that did not include travel or passport details
  • The issue has been dealt with and is working normally so new bookings won’t be affected
  • Customers will not be left out of pocket because of the cybercrime
  • British Airways continues to investigate with the police and cyber specialists and has reported the data theft to the Information Commissioner

Read the whole statement all the information here.

It doesn’t just stop there. There will be an aftermath, non-legit phone calls claiming to be British Airways asking for bank details to do a refund, lack of trust in BA’s data protection and concerns about using their online service.

Unfortunately, this is most probably the start of cases such as this.

An article in the Telegraph has inferred that BA was made aware of flaws in their systems and that they breached PCI compliance standards. Read more…

An internal IAG memo has also come to light detailing the outsourcing of Cyber Security to IBM, was this too little, too late. Read more…

Not only is GDPR and the UK Data Protection Act 2018 relevant in this case, but if this breached PCI compliance standards, it will be a very good test case for how the ICO and other supervisory authorities handle this data breach investigation and subsequent potential fines.

Is this the breach we predicted would form the wake-up call to companies that data protection is to be taken seriously. Read our article to recap. 

Is your organisation prepared? Take our training course to help you understand your companies obligations.

Information security is at the heart of this case.  Companies who thought that burying their heads in the sand in regards to protecting your personal data, need to learn lessons from this breach and prepare.

The eventual costs of this breach are yet to be determined, but thinking beyond a scary number in terms of a breach fine, this is just the starting point of British Airways woes for this case.  Reputational damage being one point of concern. Could the facts that are uncovered in this case also drive claims or possibly a class action?

Was your information compromised? We would like to hear your thoughts.

Adrian McGarry

Also recently published