MyLife Digital response to ICO action on British Airways

Share This Post

Share on facebook
Share on linkedin
Share on twitter
Share on email

It’s not surprising that the world is focussing on the potential British Airways fine this week. This is the first substantial notice actioned by the ICO under the new data protection regulations (GDPR & DPA 2018).

Fact: It is a record fine (if it proceeds at this amount).

Fact: It was a sophisticated cyber security breach.

Fact: The UK’s ICO was working with other EU regulators to investigate this.

Fact: A significant number of customer records, 500k according to the ICO statement[1], were diverted by the criminals who carried out this attack. The Telegraph reported in September 2018, at the time of the attack, that 380,000 payments transactions were violated.

But, the fine whilst important as a gauge for the new rates of financial levies, is not the core issue here. Once again, a large, well established company has allowed individual’s personal data to be compromised.

Does this mean that BA do not place enough importance on the security and integrity of their customer’s data? Did they do enough to fulfil their obligations when reviewing third party processors prior to the breach? It has been reported that the payment page had been breached by the inclusion of 22 lines of javascript code, widely attributed to the threat group Magecart.[2]

We await their response to the notification of the ICO intended action.

Will trust in BA be affected?

Do we think customer trust in BA will be impacted? No, probably not in the long term. History shows that such breaches only tend to result in a temporary dip in shareholder value.[3] Although brand reputation will take a hit.

It would appear that most of the customers affected were not targeted financially post hack, and we’re aware that customers were offered a 2-year paid subscription to Experian’s Protect myID in compensation. Was this a little bit of “closing the stable door after the horse has bolted”? However, due to the lack of any significant personal impact, improvement measures to protect online transactions may be enough to keep the faith of the customers.

BA has updated their security provisions and discussed alternatives to provide security services. BA actively reported the breach and continue to work with the ICO to fulfil the investigation.

The debate across social media and privacy practitioner forums regarding the size of the intended fine will rage on until its decided whether it is proportionate, as laid out in Chapter VIII, Article 83 of the GDPR[4], as the ICO are acting as the lead supervisory authority under the ‘one stop shop’ provision.

From seeing the amount of the BA fine, their actions taken to mitigate the risks to data subjects, as well as their cooperation with the ICO, it would appear some pretty severe negligence must have been in play.

What next?

If this is the potential scale of fines for a data breach, which involved a criminal act from an external force, what will be the consequences be for organisations who knowingly (or even unknowingly) process customers’ personal data for a purpose outside of the customer’s awareness? Or where the correct lawful basis or consent isn’t established?

The data controller is responsible for these operational factors and it will be interesting to see how data misuse cases like these develop. We are curious to hear the readers thoughts on this.

[1] https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/ico-announces-intention-to-fine-british-airways/

[2] https://www.scmagazineuk.com/ba-website-data-breach-magecart-deeper-first-thought/article/1497302

[3] https://www.standard.co.uk/news/uk/ba-hack-shares-slump-as-angry-passengers-hit-out-amid-serious-data-breach-a3930176.html

[4] https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679#d1e6226-1-1

J Cromack

J Cromack

Subscribe To Our Newsletter

Get updates and learn from the best

More To Explore

Blog

How the Development Team Organises their work

The Development Team follows the principles of “Agile Scrum”.

e.g. a daily Stand-up meeting to organise the day’s work and to update the Product Team, plus Planning and Retrospective “ceremonies”.

Opinion

Imagine

Fast forward x months, you have to forgive the inner mathematician, the lockdown has ended and the health impacts of the Coronavirus are behind us; people now move without fear of other humans; people get as much toilet paper and pasta as they want, delivered when they want; pensioners have returned to shops and spend time talking to checkout assistants while impatient shoppers in the queue behind them huff; non-essential workers are returning to ‘non-essential’ offices to do ‘non-essential’ jobs. The world can return to Business-As-Usual, but will it?

Find out how you can do more with data

Get in touch