In the run up to 25 May 2018, much of the excitement amongst GDPR professionals, such as it was, was generated by speculation over who would be the first major test case for the new regulatory regime.
Last week’s cyber attack on British Airways may have answered that question. On Friday 7 September, British Airways informed 380,000 customers who had booked flights between 21 August and 5 September that their personal and financial information, including credit card details, had been stolen by hackers.
Prior to May, such a breach would have been greeted with the customary exasperation amongst the information security community, before the work began on unpicking the ‘how’ to accompany the ‘who’. However, with the GDPR in place, the legal, financial and reputational consequences for British Airways could be unprecedented, and the company’s reaction to the crisis will be closely watched by other firms as they look for guidance for when it could be their turn.
It is still very early days, but with that in mind, S-RM’s Cyber Risk & Governance team, along with our Crisis Management division, have cast a first look over British Airways’ response to see what lessons can be learned.
What did BA do well?
Despite inevitable public outrage and criticism of BA’s data protection efforts following the breach, initial reports suggest that BA were in fact relatively well prepared in their response to the incident. They informed the Information Commissioner’s Office (ICO), the UK’s data protection regulator, within the mandatory 72-hour reporting window established by the GDPR, and quickly published details identifying the material scope and exact times and dates between which the attack occurred. By doing so, they complied with the strict reporting requirements outlined in Articles 33 (Notification) and 34 (Communication) of the GDPR.
Furthermore, within 48 hours of detecting the breach, they contacted affected customers, advising them to contact their banks and promising compensation to those affected financially, issued public statements and placed advertisements in newspapers apologising for the breach.
BA’s response demonstrates that their breach and crisis management procedures were well rehearsed. As a result, the firm was able to react quickly and effectively to manage the crisis as it broke. Over the coming weeks, these efforts will become a critical part of BA’s defence as the ICO and public begin to ask difficult questions about how their approach to securing and handling personal data measures up to the strict new requirements of the GDPR.
“The best way to minimise the reputational and regulatory fallout of breaches like the one experienced by BA is to have established lines of communication with the right authorities to ensure compliance with legal obligations, and be proactive providing customers with protection from the impact of the breach.
For companies who are unfamiliar in managing these types of situations or need extra support, crisis management consultants can make sure that all these different parties are liaised with at the right time to give the best chance of managing the crisis successfully.”
Room for improvement?
As BA looks to manage the longer term fallout of the breach, there are some questions about the airline’s investment in cyber security.
Preliminary details regarding the breach appear to indicate that BA may have been the victim of a sophisticated, well-planned attack carried out by capable hackers. A growing consensus amongst security researchers increasingly points to the possibility that BA’s website was compromised via an injection of customised code designed to avoid detection and steal data from webforms. If this theory is correct, it raises questions over how BA secured their web servers, and why this code was not detected by BA’s security team when it was loaded to the website. BA’s answers to these questions will likely play a part in whether the ICO decides to penalise BA for failing to appropriately secure their customers’ data as required by Article 32 (Security of processing) of the GDPR.
BA has also previously been suspected of cost-cutting when it comes to IT, with critics pointing in particular to failings that led to a power surge in a control tower causing global flight interruptions last year, and concerns around plans to outsource security. More recently, a consultant hired to improve the airline’s payment systems has accused BA of failing the international standard for card payments last year.
Should these criticisms prove to be well-founded, they could result in further reputational and regulatory consequences for BA. It will be critical that the company can answer these accusations and provide detailed evidence to demonstrate that they took appropriate technical and organisational measures to protect the privacy of customers. This will have a tangible impact on both customer confidence in BA and whether the ICO decides to fine the airline for failing to measure up to the security provisions of the GDPR.
So has GDPR made a difference?
Clearly it’s too soon to tell. However, there are some notable differences between BA’s response to this crisis and other companies in similar situations before 25 May 2018. Pre-GDPR, companies could fail to notify customers affected by major data breaches without fear of serious financial penalties, as happened in the cases of Uber or Yahoo. Now, however, that kind of negligence carries serious consequences.
Further breaches over the coming months and years will give us a better idea of whether BA has stood out from its peers or whether the legislation has had a meaningful impact. However, the alacrity of their response suggests a promising start. We should also not discount the impact of a change in public opinion, which appears increasingly vociferous and unforgiving of companies who do not take due care of their customer’s data.
What is clear, is that BA’s response has been effective so far, not just because of their textbook response to the ICO, but because their breach response plans were clearly integrated into the company’s wider crisis management framework. This is borne out by the relative stability of their share price in comparison to other companies which mishandled similar situations, such as Talk Talk, whose share price dropped 10% within 48 hours of the breach they suffered in late 2015. This demonstrates the positive effect of being prepared and proactive. Any firm holding sensitive data would be wise to heed their example.