The latest changes to General Data Protection Regulation, or GDPR, states that organisations must report any breach within three days of its occurrence. In the case of British Airways, it took them just 24 hours to report that they had been victims of a cyber-security breach between the 21st of August and the 5th of September. On the 6th of September, the firm reported to its customers that data from nearly 400,000 transactions had been stolen, including the numbers, expiry dates and cvv codes from bank cards.
Shortly after this, it came to light that the data had been stolen through a script designed to skim financial information from the payment page before it was submitted by the user. It is suspected by many security researchers that the culprit is Magecart, the same group which was responsible for the Ticketmaster breach earlier this year.
In spite of the airline’s speed in reporting the breach, some suggest that they could be in line for a large fine under GDPR. The largest fine issued by the Information Commissioner’s Office previously was £500,000, a figure which could be eclipsed in this case as firms can be fined up to 4% of turnover which would lead to a figure closer to £500 million. This figure could become even larger if BA’s parent company International Airlines Group is held accountable. In addition, BA will also be required to provide compensation to any customers who have suffered fraud as a result of their data being stolen. The firm SPG Law has also threatened a £500 million class-action lawsuit in the UK which alleges that BA be made liable for non-material damages under the 2018 Data Protection Act, the UK’s version of GDPR.
BA has already committed to compensating customers for any losses incurred by the breach, but SPG Law alleges that the company is also liable to pay further compensation of £1,250 to all customers whose data has been stolen.
It is obvious that the airline is fast becoming a test case for fines under the new regulations, but some cyber-security experts suggest that this breach is not as bad as other recent major incidents. The 2017 Equifax breach for example had as many as 145 million victims across Britain, Canada and the US, far more than the BA breach. It is suggested that the benchmark for the 4% of annual revenue fine should be reserved for a “mega-breach” such as in the case of Equifax and not the comparatively small case of BA. On the other hand, everyone wants the GDPR to have teeth so the ICO has to strike the right balance here.
It must be noted that the new regulations come at a time when cyber-crime is becoming increasingly sophisticated and difficult to protect against. Indeed, it is suggested that companies are not failing with regards to cyber-security but instead attackers are simply becoming increasingly good at stealing data. Perhaps fining the airline the maximum would make little sense, given that it could put the company out of business. Experts predict the fines are more likely to be in the range of £5 to £10 million.
It was announced in August that complaints to the ICO with regard to date breaches were up 160% since the introduction of GDPR with many businesses coming under increased scrutiny. For high profile companies, KRYPSYS now recommends well-trained PR staff as well as digital forensics, incident response and breach insurance in addition to standard security controls based on Cyber Security Essentials or ISO 27001.