The UK’s largest airline, British Airways (BA), revealed late on Thursday evening (6 September) that they had suffered a data breach as a result of an attack on their website, which took place between 21 August and 5 September 2018.
The breach was reportedly discovered on 5 September and has resulted in personal data including email addresses, home addresses, customer names and payment card details, with approximately 380,000 transactions having been affected. However, BA was quick to reassure customers that no travel or passport details had been taken during the breach and have been contacting customers that they believe have been affected.
How did the breach occur?
According to BA’s Chief Executive, Alex Cruz, it was not due to a breach of the airline’s encryption, but rather “there were other methods, very sophisticated efforts, by criminals in obtaining our data”, however, few details have been released.
What will happen next?
Under the new General Data Protection Regulation (GDPR) BA was obliged to notify the Information Commissioners Office (ICO) about these personal data breaches within 72 hours of finding out about them. This notification has been made and we are now waiting to see what action the ICO has taken.
BA has also taken steps to notify the data subjects whose data was taken. Reports suggest that this has not been entirely successful and many people affected have found out through the press rather than from BA. It is arguable whether this was mandatory under the GDPR which only requires data subjects to be notified where the breach constitutes a high risk to the rights and freedoms of individuals.
Under the GDPR, national regulatory authorities such as the ICO have the ability to levy fines as high as £17.6 million (€20 million) or 4% of global annual turnover. If BA were to have the latter imposed upon them, the airline could be liable for a fine of up to £500 million. However, it must be noted that these are the maximum possible penalties that the ICO can enforce and they are not obliged to do so.
Dixons Carphone recently suffered a similar breach, however, as the breach itself took place prior to the GDPR coming into force, it will be investigated under the Data Protection Act 1998 and consequently, the largest fine the ICO is able to impose is £500,000.
The GDPR and cybersecurity:
Under the GDPR, organisations are required to ensure that the personal data they hold is processed securely using the appropriate technical or organisational measures. This is one of the key principles of the Regulation, with Article 5(f) stating that personal data shall be processed: ‘…in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures’.
This leaves the onus of deciding on the specific level of security up to each individual organisation which is required to implement security measures that are appropriate to the risks posed by the specific processing activities undertaken. For example, medical records would likely require a more robust security system than email addresses.
The ICO recently worked alongside the National Cyber Security Centre (NCSC) to produce guidance on the GDPR security outcomes which can be found here. The guidance largely echoes Article 32 of the GDPR, providing practical ways for organisations to adopt the requisite level of cybersecurity such as the implementation of internal policies and processes, identity and access control, data security, system security and staff training.
Interestingly, the guidance also highlights the potentially advantageous uses of penetration testing, a form of ethical hacking, to detect system flaws. Organisations such as Google, Facebook and PayPal have adopted this approach in recent years with the increasing digitisation of personal records, invoices, payments and other aspects of our personal and professional lives. However, due to the high black-market value of the information that can be obtained by the hackers, many companies are offering what are known as responsible disclosure policies or “bug bounty” programs whereby hackers are payed for detecting flaws in their security systems. In doing so, companies are provided with an early warning as to the potential downfalls of the websites and are able to rectify the problem before any personal data is stolen.
Edwin Coe LLP is a Limited Liability Partnership, registered in England & Wales (No.OC326366). The Firm is authorised and regulated by the Solicitors Regulation Authority. A list of members of the LLP is available for inspection at our registered office address: 2 Stone Buildings, Lincoln’s Inn, London, WC2A 3TH. “Partner” denotes a member of the LLP or an employee or consultant with the equivalent standing.