A computer hack that released credit card data for around 380,000 customers means that British Airways will likely to be the first major firm to face a test and massive financial penalties under the European Union’s new General Data Protection Regulation (GDPR).
As per the new GDPR legislation, which was introduced on May 25 this year, firms must implement security processes to enhance protection of private client data. If any individual’s private information is affected they must be made aware of this within 72 hours of it being first discovered.
This new legislation says that GDPR violations can lead to penalties of up to 4% of a company’s annual sales or £20m, whichever figure is larger. In this instance, BA could be subjected to a fine of £489m based on global revenue for the company generated in 2017. The UK National Crime Agency and National Cyber Security Centre also commented that they are reviewing the incident.
For a fortnight during August and September, between 22:58 on 21 August and 21:45 on 5 September, cyber criminals obtained access to account numbers and personal information of customers who made reservations on the British Airways website and mobile application. Around 380,000 payments were impacted during the GDPR breach.
Chief Executive Officer Alex Cruz told the BBC: “The first thing to say is that I am extremely sorry for what happened. We are committed to working with any customer who may have been financially affected by this attack, and we will compensate them for any financial hardship that they may have suffered.”
He went on to say: “We’re extremely sorry. I know that it is causing concern to some of our customers, particularly those customers that made transactions over BA.com and app. We discovered that something had happened but we didn’t know what it was [on Wednesday evening]. So overnight, teams were trying to figure out the extent of the attack. The first thing was to find out if it was something serious and who it affected or not. The moment that actual customer data had been compromised, that’s when we began immediate communication to our customers.”
Last Monday, details of a possible group class legal action, in relation to the GDPR breach, were announced by SPG Law, the UK branch of US law giant Sanders Phillips Grossman. The legal firm said that it has begun plans to begin the £500m legal action, the British equivalent of a US class-action lawsuit, unless the airline chooses to settle with those affected by the data breach.
Partner at SPG Law Tom Goodhead released a statement which said: “Unfortunately, this is the latest in a number of catastrophic failures in BA’s IT systems. Unlike previous failures, however, this data breach has caused serious inconvenience and distress to nearly 400,000 people. BA is liable to compensate for non-material damage under the Data Protection Act 2018 and SPG Law will hold them to account.”
In a separate statement, an ICO representative said: “British Airways has made us aware of an incident and we are making inquiries.”