British Airways breach will show us the first serious GPDR penalty

British Airway Quick to Comply with Notification Rules

When British Airways discovered it had been the victim of a cybersecurity breach between August 21 and September 5, 2018, they informed their customers and announced what happened the very next day, September 6. They were immediately forthcoming and well within the general data protection regulation’s (GDPR’s) allowance of 72 hours to provide notice. 380,000 booking transactions were stolen, which included bankcard numbers, their expiration dates and CVV codes.

"Skimming" is how the breach happened, same method as the Ticketmaster breach

The method of the breach was through a script running on the payment page through a process called “skimming” which steals the information before it’s submitted. Security researchers have seen this before, recognizing it as similar to the Ticketmaster breach in June this year and believe the same perpetrators, Magecart, may have been carried out this attack.

Will their fine be large or not so much? Opinions are mixed

Some feel despite the fast notification by British Airways, they could still face a large fine under the GDPR. Others have reason to believe it may not be so severe. The maximum GDPR fine can be 4% annual revenue of the prior year and for British Airways, that would be £500 million. Or, if the parent organization, International Airlines Group (IAG), is held responsible, that GDPR fine figure could go higher.

Beyond that, British Airlines is also threatened by the SPG Law firm with a possible £500 million class-action lawsuit based on liability to compensate affected users for non-material damage under the 2018 Data Protection Act, the UK’s implementation of the GDPR. British Airways has said it will cover material costs its customers face, but this law firm claims under the GDPR, breach victims also have a right to be compensated for non-material damages, up to £1,250 each, for things like inconvenience and stress.

The highest fine so far imposed by the Information Commissioner’s Office (ICO) under the GDPR was against Facebook for its first breach that came to light last summer compromising 87 million people and later involved Cambridge Analytica. (Since then, Facebook has experienced another separate, possibly worse breach, which puts them in position of facing another even larger fine.)

Even though British Airways’ breach is one of the first serious cases under GDPR, comparatively speaking, it’s not nearly as bad as some recent major ones. Such as, the 2017 Equifax breach where 145 million people across the US, Canada and the UK had information stolen that was extremely sensitive, including birth dates and social security numbers. Having credit card information stolen is bad but credit cards can be replaced. No one can change their birthday or social security number, both of which are regularly used to personally identify individuals, leaving them more at risk when it comes to identity theft.

In this case where the number of victims is far less and the data stolen is not as sensitive, one might expect to see a less than maximum fine from the ICO. Also, if organizations feel a fine is unfair or over the top, or if it is so high that it could damage their business or even existence, they can challenge it in court, a scenario best avoided whenever possible. Businesses and individuals want the GDPR to have enforceability and teeth behind its rules, but everyone also expects them to assign penalties that are appropriate to the violations.

These may be early cases of impact under the GDPR but at the rate data breaches are happening, this is only the beginning.

What your company can do to protect itself

The best thing companies can do is take more steps to protect themselves against these predicaments. Stricter cybersecurity is a must, such as following principles based on ISO 27001, Cyber Security Essentials, and other security guidelines. And, the unique application security available from Virsec is something organizations should look into for protecting applications.

Companies can also consider cybersecurity insurance. And lastly, companies should double check they have policies already in place to ensure they handle any data breach properly and according to the rules. The only thing worse than a data breach is a data breach handled badly, and penalties increase accordingly.