British airways record fine shows true cost of GDPR and ineffective cyber security

July 10, 2019

We have only just passed the one-year anniversary of the European Union’s (EU) General Data Protection Regulation (GDPR)and it would appear that regulators really mean business and are willing to punish organisations like never before.

UK airline British Airways (BA), one of the biggest airlines in the world, has been fined a record amount of £183 million (€203 million) after it suffered a cyberattack in September 2018. The UK Information Commissioner’s Office (ICO) has indicated that this is the biggest fine it has ever issued and the first to be made public following the advent of GDPR in 2018.

How did BA come to be facing such a significant fine, and how can companies tighten up their cyber security to try and ensure such attacks don’t occur in the first place?

A very costly cyber attack

This fine for BA relates to a cyber security breach which took place between 21 August and 5 September, 2018. After discovering the breach, BA informed its customers that details from 380,000 booking transactions had been stolen, data that included including bank card numbers, expiry dates and cvv codes.

It would seem that BA’s breach related entirely to customer data stolen from payment forms, so many experts believe it was the work of the Magecart group. A similar attack was carried out on Ticketmaster UK recently, which was shown to have been attacked by web-based card skimmers that steal credit card data, either for the criminal to use themselves or to sell to other parties.

A quick response to data breaches is a key requirement of GDPR, but it would appear that BA did not move quick enough to satisfy the regulators. It is now facing the largest GDPR fine ever, comfortably outstripping the €50 million that the French data regulator CNIL gave to Google in January 2019.

It can be argued even that BA has got away with a smaller fine that it could have done. £183 millionis the equivalent of 1.5% of BA’s annual global turnover in 2017, a Level 1 GDPR regulation. GDPR allows for fines of up to 4% of a company’s annual global turnover, which in the case of BA, would be £488 million (€544 million), even more if BA’s parent company International Airlines Group (IAG) was held responsible instead.

There are also other factors for BA to bear in mind. The airline has already been threatened with a £500 million class-action UK lawsuit, by law firm SPG Law. Perhaps even worse, there is the long-term damage done to BA’s reputation and brand – will it now be forever known as an organisation that does not keep its customers’ data safe?

Keeping data safe requires digital compliance and security

BA has not actually paid the fine yet and has 28 days to appeal it. Willie Walsh, chief executive of IAG, commented:

“We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals.”

Even if BA and the ICO eventually settle on a smaller figure, the message is clear – if you don’t treat your customers’ data with complete care and attention, any organisation can expect the most severe punishment if things go wrong.

That’s why it is more important than ever for organisations to adopt a continuous approach to both cyber security and compliance. Perhaps even more so in the case of mid-sized firms that lack the resources and budgets of bigger organisations, but still require the peace of mind that they won’t be hit by a mammoth fine.

The only way for any organisation to keep its data private and safe, is to know where it is and know who can access it. This is exactly what Oxial’ssGRC solution provides. Far more effective than traditional GRC, Oxial’ssGRC manages all an organisation’s risk, including cyber security and compliance, and offers continuous improvement and protection.

If you are keen to avoid a major GDPR fine, don’t want the stigma of being known as an organisation that doesn’t care about its customers’ data or do not want the embarrassment, cost and reputational damage that can come with a cyberattack, then why not look at Oxial’ssGRC solution?

To request a quote or arrange a demo, please click here.