DPO.Business News and Blogs

Home ⛾ News Club Contact ☎

Contact us...

☎ +44 (0) 208 133 0242

Subscribe for monthly industry news:

07 September 2018

BA payment data of 380,000 customers hacked

British Airways has joined the list of companies that were seriously hacked.

It is understood that crooks have compromised payment card details, used on the British Airways website or App, between 23:00 on 21st August and 21:45 on Wednesday 5th September. This included names, addresses, credit card numbers, expiry dates and CVV (3 digit security code). This is certainly enough data for the crooks to commit fraud with those cards. It is likely that the card details are already for sale to fraudsters on the dark web - a large computer network, similar to the Internet, but where users can remain anonymous and where illegal trades often take place.

If your payment card might be at risk, keep a close eye on bank statements for unusual transactions, and for "Phishing" emails that could be from fraudsters potentially pretending to be from BA.

Data Privacy Cookies

BA seems to have done fairly well at identifying the hack, and putting their hand up. They went very public within less than 2 days of the hack being stopped, as well as speaking with key agencies such as the Police, NCSC and ICO. Their CEO has also gone public, to highlight how seriously they are taking the issue.

We are reminded of the old cyber security addage that there are those companies that have been hacked, and those companies that don't realised they've been hacked.

BA has said "No British Airways customer will be left out of pocket as a result of this criminal cyber attack on its website, ba.com, and the airline's mobile app.", which is a brave and potentially expensive move, but also likely to be very effective in helping to minimise the immediate operational impact and longer term reputational damage. The incident is going to be expensive no matter what happens.

Positive action such as this could help reduce potential fines under the EU General Data Protection Regulation (GDPR), which for BA could theoretically reach nearly £900m (4% of the parent's global turnover).

Check back or subscribe for further updates on the BA security breach.

We wait to see how the hackers got in, and where controls failed.

We know that payment card data was compromised. Payment card systems are required to comply with the Payment Card Industry's Data Security Standard (PCI DSS), which has been evolving since 2004. Fines would certainly be higher if BA has failed to comply with PCI DSS, or failed with other key security controls. Both TalkTalk and Carphone Warehouse breaches received relatively higher fines under the old Data Protection Act 1998, at 80% of the maximum amount, with investigations showing major security weaknesses. However, the maximum fine was capped at a meaningless £0.5m in those days.

We believe the full GDPR fine would only be used against an organisation that committed hugely gross negligence when provisioning for security and data protection. The investigations often take a year, sometime 4 years, so we're not expecting to see what GDPR fines look like for big events, anytime soon.

We think they could have done with data protection advisory services from DataGRC and the Data Sentinel online Data Protection training, Records Management and Compliance Assessment tools.

See the best data protection, privacy and security news...

181130 Marriott data breach - 500m customers
181126 ICO fines Uber £385k; Dutch fine them £532k
181029 Portugal fines hospital £400k
181026 DataGRC article for CILEX (lawyer regulator) - GDPR update
181025 BA security breach update 185k avios reward users
181025 Security Breach Cathay Pacific 9.5m Passengers
181024 ICO DPA'98 fines Facebook £500k
181022 High Court holds morrisons liable for data breach.
181009 ICO PECR fine Boost (findmeafuneralplan.com) £90k
181008 ICO DPA'98 fine HAL £120k
181002 ICO PECR unfine STS Commercial £60k
181001 ICO PECR fine Oaklands Assist £60k
181001 FCA fine Tesco Bank £16.4m
180928 ICO DPA'98 fine BUPA £175k
180928 ICO DPA'98 fine Equifax £500k
180907 British Airways data breach 380,000 customers
181030 DataGRC GDPR article for EyeForTravel - 3 tips for managing data breaches
180427 DataGRC article for CILEX (lawyer regulator) - GDPR overview
180322 DataGRC GDPR article for EyeForTravel - 10 practical recommendations

Add a comment or a question...

Articles made publically available on this website are general information and should never be mistaken for formal or legal advice. If you are seeking formal advice for your specific requirements, please contact our advisory team using the form above.