BA Data Breach: a post-GDPR fallout following personal data breaches

Sep 13, 2018

British Airways is the latest major company to suffer a major data breach which resulted in customers’ personal and financial details being stolen.  In what was described as a “sophisticated” breach of its website, BA has been swift to assure that those affected will be compensated.

What happened?
Between 21st August and 5th September 2018, cyber criminals hacked into BA’s information systems accessing (or more likely intercepting) around 400,000 customers’ name, email address, and full credit card information – including the three-digit CVV number on the back of credit cards. The breach resulted in the compromise of the personal details of customers booking flights both on BA’s website and its mobile app during that period. 

Customers were immediately notified of the breach once BA was aware of it.  Unfortunately, it took two weeks before the breach was even detected, prompting questions as to the quality and effectiveness of BA’s internal detection processes and systems.

We understand the National Crime Agency and National Cyber Security Centre are investigating the incident.  BA now faces potentially hefty fines of up to 4% of annual global revenue under the General Data Protection Act (GDPR).

What are the rules on notification of data breaches?
In the event of a personal data breach such as this which poses a risk to the rights of data subjects (the individuals whose personal data was taken), organisations are required by the GDPR to report it to the ICO without delay.  In any event, it must be reported within 72 hours of the organisation becoming aware of it – even if not all the details are known. Where the breach poses a high risk to the data subject, those individuals affected must also be informed without undue delay.

Of course, prevention is far preferable than being in a position such as BA’s.  Efficient and effective detection and response is vital, and the GDPR places a greater burden on businesses than ever before to ensure they:

  • have robust procedures and policies in place
  • are able to detect and identify data breaches swiftly, and
  • implement efficient and effective procedures for investigation and internal reporting

What does this mean?
The BA data breach is a salutary reminder of the risks that face businesses, however unlimited their resources.  The consequences of personal data breaches are not only financial – the reputational fallout can adversely affect a company’s fortunes for many years.  

How can we help?
If you have any concerns about your data protection policies and procedures, particularly in light of this latest data breach, contact the experienced commercial and data protection solicitors at Herrington Carmichael for urgent specialist advice before taking any further steps. 

Please contact Matthew Lea on 01189 898 155