After Air Canada Breach Here Comes British Airways

Hundreds of thousands lose bank details as British Airways hacked

Data stolen from hundreds of thousands of British Airways customers in major breach

A data breach follows a data breach. It's not IF it's when. Is your organisation ready to react?

The New European Data Protection Regulation that entered into force on May 25 after a grace period of two years of adaptation is in continuity of the previous data Protection Directive. One of the main change from the previous situation is a short period of required reactions after a data breach.

The GDPR introduced a 72-hour notification requirements. It is therefore critical for organisations to have a systematic GDPR incident response protocol in place to meet these requirements. Having a breach response plan in place is critical. Every organisation need to appoint one central post to receive all data breach in order to act promptly, to evaluate against notification requirements, and analyse overall risk against the underlying data inventory.

According to the BBC, BA was made aware of the breach by a partner on Wednesday evening.

"BA said the breach took place between 22:58 BST on 21 August and 21:45 BST on 5 September."

"We have notified the police and relevant authorities. We take the protection of our customers' data very seriously."

The BBC reports "BA said all customers affected by the breach had been contacted on Thursday night. The breach only affects those people who bought tickets during the timeframe provided by BA, and not on other occasions."

British Airways breach: How did hackers get in? They are assumption that despite the encryption of customers data, these were intercepted from the website.

Security Experts Comments – British Airways Data Breach

Not sure if every customer has been contacted as Mr Cruz added:

"At the moment, our number one purpose is contacting those customers that made those transactions to make sure they contact their credit card bank providers so they can follow their instructions on how to manage that breach of data."

Article 33 GDPR requirements in case of data breach are :

1 - In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with  Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. 

2 - Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

The processor shall notify the controller without undue delay after becoming aware of a personal data breach.

BA knows how important it is to react on time to notify the Data Protection Authority and each and every customers hurt by the breach. The GDPR fines of 4% of General turn over or 20 Million € are serious incentives. Fine or notBA fine, a breach of customers data cause serious harm to the business reputation.

"Already, we are told that Shares in BA owner IAG fell by 3.1% in early trade on Friday."

Social media is getting filled with comments from outraged customers :

Mat Thomas said he placed a booking on 27 August, but had not been contacted about the breach.

"Atrocious that I had to find out about this via news and twitter," he tweeted.

"Called bank and had to cancel both mine and my wife's card. Probably won't get it back before we fly (ironically)."

Gemma Theobald tweeted: "My bank... are experiencing extremely high call volumes due to this breach! Couldn't do anything other than cancel my card... not how I wanted to spend my Thursday evening."

If you have remained impermeable to the new regulation, should this data breach incident be a wake up call. Data breach and GDPR is not exclusively a concern for big organisations. That includes SMEs or charities or any entity processing personal data outside household activities. To check GDPR wide application, you can read my previous posts. GDPR Material and Territorial Scope.

Another major innovation of the GDPR is class action or remedies from data subjects.

All you need to know about GDPR compliance.

The Telegraph report : "Alex Cruz, BA's chairman, revealed the hackers were "very sophisticated criminals" who had not hacked the company's encrypted data, but rather gained "illicit access" to the airline's system. 

This meant the breach went unnoticed for more than two weeks and now customers are scrambling to cancel their cards once the airline became aware of the breach on September 5."

It is thought the number of payments compromised could be up to 400,000 and BA confirmed Friday morning hackers had obtained names, addresses, credit card numbers, expiry dates and the three-digit security codes on the backs of cards - plenty to make a fraudulent payment. 

THE UK ICO has published "Records management for small business means safeguarding people’s personal information and making sure any risk has been reduced. We’ve designed a records management checklist and many GDPR checklists"

So far, nothing much in the ICO statement in response to British Airways breach announcement nor NCSC statement on the reported British Airways data breach

Interestingly, in July this year, British Airways asked customers to post personal information on Twitter ‘to comply with GDPR’

And finally, we can wonder if BA has suffered from the absence of an active DPO as they have advertised for the post :

"Role Title: Group Data Protection OfficerPurpose of the role

The Group Data Protection Officer will be responsibility for overseeing the Group’s dataprivacy compliance programmes. The role is appointed to fulfil the statutory obligation under the *General Data Protection Regulation to appoint a Data Protection Officer (DPO) for the Group companies meeting the statutory criteria...

The ability to remain calm, controlled and resilient"

British Airways customer data hacked and stolen

UPDATE: ~If the financial harm is difficult to prove and the ICO fine uncertain, BA risk to be liable to compensate for non-material damage under the Data Protection Act 2018. Psychological harm and distress are used for a customer class action by SPG law. Law firm representing customers action asking compensation for distress, not necessary a financial.

Read more : SPG Law launch ￡500m Group Action against British Airways following catastrophic data breach

According to this security expert, the website remains unsecure. read more.

More technical explanation / supposition : Inside the Magecart Breach of British Airways: How 22 Lines of Code Claimed 380,000 Victims

• This work is licensed under a Creative Commons Attribution 4.0 International License.