BA Data Breach: a post-GDPR fallout following personal data breaches

British Airways is the latest major company to suffer a major data breach which resulted in customers’ personal and financial details being stolen. In what was described as a “sophisticated” breach of its website, BA has been swift to assure that those affected will be compensated.

What happened?

Between 21st August and 5th September 2018, cyber criminals hacked into BA’s information systems accessing (or more likely intercepting) around 400,000 customers’ name, email address, and full credit card information – including the three-digit CVV number on the back of credit cards. The breach resulted in the compromise of the personal details of customers booking flights both on BA’s website and its mobile app during that period.

Customers were immediately notified of the breach once BA was aware of it. Unfortunately, it took two weeks before the breach was even detected, prompting questions as to the quality and effectiveness of BA’s internal detection processes and systems.

We understand the National Crime Agency and National Cyber Security Centre are investigating the incident. BA now faces potentially hefty fines of up to 4% of annual global revenue under the General Data Protection Act (GDPR).

What are the rules on notification of data breaches?

In the event of a personal data breach such as this which poses a risk to the rights of data subjects (the individuals whose personal data was taken), organisations are required by the GDPR to report it to the ICO without delay. In any event, it must be reported within 72 hours of the organisation becoming aware of it – even if not all the details are known. Where the breach poses a high risk to the data subject, those individuals affected must also be informed without undue delay.

Of course, prevention is far preferable than being in a position such as BA’s. Efficient and effective detection and response is vital, and the GDPR places a greater burden on businesses than ever before to ensure they:

have robust procedures and policies in place
are able to detect and identify data breaches swiftly, and
implement efficient and effective procedures for investigation and internal reporting

What does this mean? The BA data breach is a salutary reminder of the risks that face businesses, however unlimited their resources. The consequences of personal data breaches are not only financial – the reputational fallout can adversely affect a company’s fortunes for many years.

Register now for your free, tailored, daily legal newsfeed service.

BA Data Breach: a post-GDPR fallout following personal data breaches

Filed under

Topics

Organisations

Laws

Popular articles from this firm

Dispute Resolution: Is a deposit always non-refundable? *

Limitation Periods: Could my claim be “time-barred”? *

How to split a company - going your own way? *

What are Statutory Registers and why does your business need them? *

What is a Declaration of Ownership? *

Related practical resources PRO

Related research hubs