On the back of the recent Air Canada data breach, British Airways announced on Friday that it has also suffered a theft of customer data. Around 380,000 transactions made by BA customers in the period from Thursday 21st August 2018 to Wednesday 5th September 2018 are affected.
Personal data stolen in the breach include customer names, email addresses, credit card numbers, credit card expiration dates and 3 digit CVV codes. In other words, everything a fraudster would need to make fraudulent transactions on a credit card.
BA says that no passport or travel information was compromised.
Did British Airways do anything wrong?
British Airways says that it discovered a problem on the evening of Wednesday 5th September, some two weeks after it says customer data started to be compromised. It says that it notified affected customers the following day (Thursday 6th September).
The ICO released a statement saying that British Airways had made it aware of an incident and that the ICO was making enquiries.
It would appear that BA came to the (probably obvious) conclusion that the data breach caused a “high risk to the rights and freedoms of individuals”. Therefore, BA notified both the regulator and individuals affected without “undue delay”. As such, in terms of its notification obligations, it is likely that as long as BA continues to cooperate with the regulator and includes all necessary information in its communications with affected individuals, it will have satisfied those obligations.
What will be interesting for organisations seeking to comply with their security obligations under the GDPR is whether the data breach happened because of a failure by BA to comply with those obligations, or whether it happened despite BA complying with those obligations. In other words, “Are data breaches the new normal?”.
What are an organisation’s security obligations under the GDPR?
Organisations have a legal duty under the GDPR to keep personal data secure. One must assume that BA has spent a lot of money on data security, both to comply with the law as a responsible company and to avoid the kind of public relations fallout it will experience as a result of this latest breach.
The question that the regulator will have to answer is whether BA had implemented “appropriate technical and organisational measures to ensure a level of security appropriate to the risk”. Given that the risk of hacking is high and the consequences to individuals serious, BA will be expected to have had the very best security measures in place.
Did British Airways meet its security obligations?
From the limited information we have at present, where it looks like BA will have difficulty explaining itself is in not becoming aware of the breach for a period of two weeks after it first started occurring. Given that it has an obligation under the GDPR to regularly test, assess and evaluate its security measures, how did such a security breach manage to go undetected for so long?
What can we learn from this latest breach?
Organisations need to understand that having a security review with penetration testing every twelve months is unlikely to be sufficient to comply with the security obligations of the GDPR. Organisations need to be watchful at all times for unusual behaviour in relation to personal data and ensure that they keep up to date with industry security practice. Criminals are attempting to get ahead of security practices and, therefore, organisations need to maintain vigilance and implement state of the art security techniques. All changes to security policies need to be recorded to comply with the GDPR.
How to minimise the risk of a data breach
Organisations should build a culture of compliance from top to bottom. Ensuring that everyone in your organisation has a thorough understanding of data protection, its importance and what each individual can do in their day to day working lives, helps ensure that personal data remains safe.
Criminals will seek to find the weaknesses in security. Often, the weaknesses lie with individuals. If individuals are suitably trained then security is stronger. Training should range from individuals in the sales organisation understanding the latest phishing techniques to members of the IT team understanding the latest state of the art infrastructure security.
Such steps may not prevent a data breach, but they may ensure that an organisation stays within the law. Data breaches in the airline industry (or any other industry) should not become the new normal.
Perhaps data breaches such as those experienced by British Airways and Air Canada are the wake-up call organisations need before they appreciate that true compliance with data protection law is necessary to maintain shareholder value. If maintaining shareholder value is something that concerns you, perhaps you might want to take a look at The Privacy Compliance Hub and how it can help.
By Nigel Jones – Co-founder – The Privacy Compliance Hub