BA data breach: 565,000 customers may have been affected

In September, British Airways announced it had suffered a data breach that compromised the personal and financial data of more than 380,000 customers. However, the airline has since admitted that an extra 185,000 people may have been affected.

Then and now

At the time of the attack, BA was by and large applauded for its swift and efficient response: the incident was reported to the ICO (Information Commissioner’s Office) within the 72-hour timeframe required under the EU’s GDPR (General Data Protection Regulation), the police were informed, and customer communications were sent, supported by an information page on BA’s website.

The incident is still being investigated by the National Crime Agency and National Cyber Security Centre, with a skimming script that scraped data from online payment forms thought to be the cause.

In an updated statement in late October, BA said:

The investigation has shown the hackers may have stolen additional personal data and British Airways is notifying the holders of 77,000 payment cards, not previously notified, that the name, billing address, email address, card payment information, including card number, expiry date and CVV have potentially been compromised, and a further 108,000 without CVV. The potentially impacted customers were only those making reward bookings between April 21 and July 28, 2018, and who used a payment card.

More than 500,000 victims

This revelation is an additional blow to the airline: not only did it suffer a breach but it also didn’t fully realise the extent of the attack. The ICO will likely take a dim view of this for two reasons. First, BA ought to have been in a position to fully scope the attack at the time. Second, the lapse in time in informing the additional 185,000 victims potentially puts them at greater risk of cyber fraud as their details have been exposed and have remained unchanged for longer.

BA insists that there haven’t been any instances of fraud attributed to the breach, although it’s possible that fraud simply hasn’t been identified or officially reported yet.

What next?

BA will continue to “reimburse any customers who have suffered financial losses as a direct result of the data theft”, in addition to offering 12 months’ credit rating monitoring.

The breach will be investigated under the GDPR, which could leave the airline facing an extremely hefty fine, in the hundreds of millions of pounds. In addition, law firm SPG Law feels BA should be doing more to compensate customers and has created a microsite, encouraging victims to sign up to a £500 million group action lawsuit against the airline.

This incident could become a major test case for the GDPR, with all the publicity that would entail, which would be extremely damaging to the previously well-respected airline.

Is your organisation prepared for a data breach? Take our survey now to test your readiness and identify areas for improvement.