The update to general data protection regulation (GDPR) stipulates that firms must report a breach within 72 hours. It took British Airways just one day to announce it had been hit by a cyber-attack between 21 August and 5 September. On 6 September, the airline informed its customers that details from around 380,000 booking transactions had been stolen, including bank card numbers, expiry dates and cvv codes.
Soon afterwards, it was discovered the details were taken via a script designed to steal financial information by 'skimming' the payment page before it was submitted. Security researchers now think the perpetrator is the same group that breached Ticketmaster in June this year, Magecart.
Despite BA’s quick reporting of the breach, experts think the airline could be hit by a huge fine under the GDPR, which came into place on May 25. Previously, the largest fine issued by the Information Commissioner’s Office (ICO) was £500,000.
But under GDPR, firms can be fined up to 4% of turnover: In BA’s case £500 million. If the airline’s parent group International Airlines Group (IAG) is held accountable instead, the number could be even higher.
And of course, the fines are in addition to any compensation BA needs to pay to customers who might have suffered financial fraud as a result of the breach. But the costs do not end there: BA has been threatened with a £500 million class-action lawsuit in a UK court by law firm SPG Law. It alleges BA is liable to compensate for non-material damage under the Data Protection Act 2018, the UK’s implementation of GDPR.
Indeed, the GDPR says: "Any person who has suffered material or non-material damage as a result of an infringement of this regulation shall have the right to receive compensation from the controller or processor for the damage suffered."
The airline has already pledged to cover any losses suffered by its customers, but SPG Law says that under GDPR, breach victims have a right to further compensation of £1,250 each.
It’s clear BA is becoming a test case for the fines under GDPR. But the breach of the airline is not as bad as some major recent hacks, says Ian Thornton-Trump, a cyber security industry veteran.
He points out that the 2017 Equifax breach saw 145 million victims in the US, UK and Canada have their “extremely sensitive information” stolen. This is many more than the BA data breach, where 380,000 credit card transactions were taken, he says.
“If the benchmark for the 4% of annual revenue fine is reserved for a mega-breach, the 380,000 credit cards is really small,” he says. “The ICO is in a tough spot on this. Certainly, the investigation and research will need to go on for a very long time before a fine is decided. If it is unreasonable, you can expect litigation and court challenges. Everyone wants the GDPR to have teeth so the ICO has to strike to right balance here.”
But GDPR comes at a time when cyber-attacks are exceedingly sophisticated. Thornton-Trump doesn’t think companies are failing at basic cyber security post-GDPR. “What we are seeing is the cyber-crime adversary becoming very good at stealing from companies.”
“BA got hit by elite bad guys and if they can prove that they had even basic security controls – which they should have – their fine will be less substantial and punitive,” he predicts.
In fact, he says, credit card and bank account numbers “are all easy to replace” and “money can always be refunded”.
“What you can't change – or is far more difficult to change – is your national insurance number or date of birth, so it's far more serious when that type of information is stolen. So, is it a test case? Absolutely. Will it result in a major fine? I don't think so.”
It doesn’t make sense to fine BA the maximum, given that it could put the company out of business, he points out. “Imagine if the ICO lost its mind and went for the big one – the whole 4% of annual turnover – and pushed BA to the point of insolvency? Massive lay-offs, job losses, no more new planes. That would be an unacceptable at government level outcome demanding a bail out.”
Thornton-Trump predicts a fine “in the £5 to 10 million range”. He says: “That's substantial but it does not put the company at risk and is not ‘too political’.”
In August, it was announced that data breach complaints to the ICO were up 160% since GDPR came into force. “One can imagine that many businesses are coming under scrutiny,” says Thornton-Trump.
So, what can firms do to avoid getting into a similar situation? In addition to cyber hygiene based on ISO 27001, Cyber Security Essentials, or CIS 20, Thornton-Trump thinks firms need breach insurance, well-trained PR, digital forensics and incident response.
“The reality is, a data breach is bad, but a poorly handled one is significantly worse and makes both customers and shareholders anxious and upset,” he says. “Investment in the capability to detect, respond and recover from a data breach will go a long way to assure all stakeholders that the impact of a cyber security event is reduced.”