Europe, Content, EMEA

British Airways Data Breach: How Will GDPR, EU Officials Respond?

What did British Airways (BA) know about a data breach that recently hit some 380,000 of its customers and when did the massive airline know it?

For two weeks in late August and September, some as-yet unidentified hacker(s) dipped into the airline’s database to hijack account numbers and personal information of customers booking travel online, Bloomberg reported. BA CEO Alex Cruz has subsequently apologized in a letter to the victims, the report said.

British Airways has posted a data breach FAQ here to assist customers with information gathering.

Thanks to the newly-enacted General Data Protection Regulation (GDPR), there are serious repercussions for BA beyond reparations and cleanup.

  • Did the carrier take the proper precautions to protect the credit card information compromised in the heist, as mandated in the GDPR’s orders?
  • Did it report the break-in within 72 hours after knowing about it as required? Officials at the U.K.’s Information Commissioner’s Office (ICO) are looking for answers.

At this point, BA "has made aware of the incident and we are making enquiries,” an ICO spokesperson told Bloomberg.

British Airways Data Breach: The First Big GDPR Test?

Ultimately, it will be interesting to see if there’s bite in the data privacy rule’s teeth -- is BA culpable, has the company failed to play by the rules and does it deserve a fine? The answers will surely go a long way to determining if the airline will be penalized up to four percent of its annual global sales that could amount to some $650 million under the GDPR’s rules. As for a potential fine, BA told Bloomberg that it’s concerned with attending to the “customers that may have been affected.”

If the ICO, with cause, bonks BA as its first large offender under the GDPR, it won’t be hard to see the office’s point. In July, it dinged social media giant Facebook with the maximum penalty of £500,000 (roughly $650,000) under earlier data protection laws over its unauthorized sharing with Cambridge Analytica of personal data on millions of its users and failing to protect their private information. Had Facebook been fined under the GDPR the penalty would have been $1.6 billion, according to a Business Insider calculation.

At the same time, the number of smaller data protection incidents are starting to pile up. In the six weeks from May 25 -- when the GDPR took effect -- to July 3, some 6,300 documented grievances were filed by U.K. individuals and companies claiming their personal data has been accessed without permission. That’s more than 2.5 times the number recorded in the same period last year.

Standing on the sidelines for now are the cyber insurance providers, which may spring into action should the ICO elect to ding BA’s coffers, simultaneously sporting a frown and a smile, the former for paying out on a hefty claim and the latter from a spike in policies and premiums that could result. Over the past five years, cyber premiums have grown at 23 percent annually and by 2021 will be worth some $4 billion, a compound annual growth rate of 14.1 percent, according to Aon, a London-based professional services firm. An earlier study by Willis Towers Watson, a risk management, insurance brokerage and advisory company, concluded that total annual cyber premiums could reach $10 billion by 2020.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.