Due to a computer hack accessing credit card data approximately 380,000 customers, British Airways will likely to be the first major company to face a test, and possibly extremely high financial penalties, under the European Union’s new General Data Protection Regulation (GDPR).
Under the new GDPR legislation, which was introduced on May 25 this year, firms must implement security measures to enhance protection of private client data. If any individual’s private information is impacted they must be made aware of this within 72 hours of it being initially discovered.
This new legislation states that GDPR violations can result in penalties of up to 4 per cent of a company’s annual sales or £20m, whichever figure is higher. In this case, BA could be subjected to a fine of £489m based on global revenue for the company during 2017. The UK National Crime Agency and National Cyber Security Centre also stated that they are looking into the incident.
For two weeks during August and September, between 22:58 on 21 August and 21:45 on 5 September, hackers gained access to account numbers and personal information of customers who made reservations on the British Airways website and mobile app. Approximately 380,000 payments were compromised during the GDPR breach.
Chief Executive Officer Alex Cruz said, in an interview with the BBC: “The first thing to say is that I am extremely sorry for what happened. We are committed to working with any customer who may have been financially affected by this attack, and we will compensate them for any financial hardship that they may have suffered.”
He added: “We’re extremely sorry. I know that it is causing concern to some of our customers, particularly those customers that made transactions over BA.com and app. We discovered that something had happened but we didn’t know what it was [on Wednesday evening]. So overnight, teams were trying to figure out the extent of the attack. The first thing was to find out if it was something serious and who it affected or not. The moment that actual customer data had been compromised, that’s when we began immediate communication to our customers.”
Meanwhile on Monday, details of a possible group action, in relation to the GDPR breach, were revealed by SPG Law, the UK branch of US law giant Sanders Phillips Grossman. The legal firm said that it has developed plans to initiate the £500m legal action, the British equivalent of a US class-action lawsuit, unless the airline opts to settle with those affected by the data violation.
Tom Goodhead, a partner at SPG Law, released a statement which read: “Unfortunately, this is the latest in a number of catastrophic failures in BA’s IT systems. Unlike previous failures, however, this data breach has caused serious inconvenience and distress to nearly 400,000 people. BA is liable to compensate for non-material damage under the Data Protection Act 2018 and SPG Law will hold them to account.”
In a statement, an ICO spokesperson said: “British Airways has made us aware of an incident and we are making inquiries.”
The airline and travel sector has been hit with a number of high profile data breaches recently. Last week Air Canada confirmed a data breach affecting 20,000 customers. In May 2017, Delta confirmed that it suffered two data breaches during September and October and British Travel company Thomas Cook admitted during July that names, emails and flight details had been accessed.