The 2018 British Airways data breach was one of the first to occur under the GDPR (General Data Protection Regulation), so the ICO (Information Commissioner’s Office)’s investigation into the incident was seen as a test case.
It was therefore unsurprising that when the regulator announced its intention to fine British Airways a record £183.4 million for breaching the GDPR, businesses around the world reacted with consternation.
If 1.5% of annual global turnover was to be the ICO’s benchmark for data breaches, as this suggested, many organisations realised it was finally time to invest properly in GDPR compliance.
Effective judicial remedy
However, administrative fines of up to €20 million (about £18 million) or 4% of the organisation’s annual global turnover (whichever is greater) are not the only penalty the GDPR allows.
It also grants data subjects the right to an effective judicial remedy against data controllers and processors if they consider their rights to have been infringed by processing that doesn’t comply with the Regulation.
Last week, on 4 October, the High Court duly granted a group litigation order, effectively giving the go-ahead to mass legal action from the 500,000 British Airways customers whose personal data was compromised in the breach. Mr Justice Warby ruled that victims have 15 months to join the class action.
Last summer, BA fell victim to a formjacking attack that skimmed its customers’ payment data when they attempted to make bookings through the BA app or website. The security firm RiskIQ attributed the attack to the Magecart group, which has been responsible for similar attacks, including on Ticketmaster.
According to the ICO, “a variety of information was compromised […], including log in, payment card, and travel booking details as well [sic] name and address information” and BA’s “poor security arrangements” were to blame.
Opinions of how much victims can expect to win vary:
- SPG Law, one of the firms encouraging customers to join the class action, reckons victims could each get “up to £2,000 or more”.
- Higgs Newton Kenyon claims that victims could be entitled to up to £5,000.
- Data Leak Lawyers states that victims “could be eligible to claim, on average, £6,000.00, or as much as £16,000.00 in damages where the impact is extreme”.
Irrespective of the accuracy of these predictions, however, the news will be unwelcome for BA’s owner, IAG (International Airlines Group), which has already revised its 2019 profit guidance following last month’s pilot strikes, which are estimated to have cost BA £120 million.
The shape of things to come
Whatever the outcome of the class action, it should be a salutary reminder that regulatory action is only the tip of the iceberg for organisations that breach the GDPR.
Data breaches are now so commonplace that you should expect them to happen and plan accordingly.
In the long run, it’s far less expensive to put appropriate security measures in place now than be forced to do so after a breach has occurred – as well as facing administrative fines, remediation costs, reputational damage and legal action.
Don’t risk it: cyber secure it
Cyber health is about establishing simple, routine measures to minimise your cyber risk. By taking steps to improve your cyber health, you can stay ahead of the criminal hackers, protect your data and respond to cyber threats before they damage your business.