With technology growing at a rapid pace and becoming part of everyday life, it’s certainly not uncommon for most people and businesses to use and rely on technology. With so much data to be used and stored it can be extremely hard to protect the data that has been accumulated. With the risk and increase of fraud and data theft, new regulations had to be introduced. These days people buy, shop and bank online, literally everything and anything can be done online. With all this information being kept by businesses, businesses are under a lot of pressure with new regulations to keep all data safe. For example, the most recent regulation that was brought in was GDPR. It was brought in May of this year. In the following we will look at GDPR and the first test case of GDPR, British Airways. From my research of news footage, articles, newspapers and notes we will get an understanding of GDPR, the impact of data breach like GDPR and what it will mean for companies like British Airways that have a data breach.
General Data Protection Regulation
The General Data Protection Regulation (GDPR) is a regulation in the European Union law on data protection and privacy for all individuals in the EU. It is the most important changes in data privacy regulation in 20 years. It will restructure the way data is handled. With data growing rapidly in recent years and so much being stored. The aim of the GDPR is to protect this data. GDPR was brought in on the 25th of May 2018. It was not brought in to punish businesses that had a data breach. Breaches are now becoming a daily occurrence and part of life. As so many people and businesses are online. GDPR is to make sure that companies do everything possible in their ability to make sure our data is secured. It asks the question did that company do everything possible in their power to prevent the breach or are the liable?
If a company is found liable of breaching GDPR there can be major consequences and fines involved. They don’t only have to deal with the massive fine that the GDPR will impose on them, but it can have other negative impacts like bad publicity, vulnerable security systems that’s will all need to be replaced, reimbursement to customers, legal issues and many more. For many companies its not if there going to have a data breach its when they are going to have a data beach. For example, one of these companies is British Airways. They have become the first test case for GDPR.
British Airways can be followed back to the beginning of civil aviation, the pioneering days following World War I. In the 99 years that have passed since the world’s first schedule air service on 25 August 1919, air travel has transformed since then and is beyond all recognition. Each decade saw new developments and challenges, which formed the way for the forthcoming future.
BA was created in 1974 after a British Airways Board was established by the British government to manage the two nationalised airline corporations, British Overseas Airways Corporation and British European Airways, and two regional airlines, Cambrian Airways from Cardiff, and Northeast Airlines from Newcastle upon Tyne. On 31 March 1974, all four companies were merged to form British Airways. After almost 13 years as a state company, BA was privatised in February 1987 (British Airways).
Now in 2018 BA is one of the most well-known airlines. The airline has long been considered a national symbol of the United Kingdom’s status as a global power. It is the biggest airline in the UK based on fleet size (275) and the second biggest behind EasyJet when compared to the number of passengers carries. The airline serves 200 destinations in nearly 90 countries Their current CEO is Alex Crus who has been CEO since 2016.
British Airways Data Breach
Alex Crus had his biggest challenged yet as CEO of BA, when BA became the first test case of GDPR. The breach of the new regulation was revealed when more than 380,000 transactions performed on the BA website may have been affected. This happened over a course of two weeks when stolen data including name, email address and credit card information were taken when customers where making online reservations through the app and website of BA. However, trip information and passport information were not included on the list of data that was stolen.BA believe that their encryption wasn’t breach, that something new had taken their data during customer transitions instead of raiding BA data base. It was a significantly long time before BA noticed the data was stolen from their customers. As news broke of BA data breach CEO Alex Crus first move was an apology to the individuals affected and for them to contact their banks. He also got some outside help which included him contacting the National Cyber Security, the National Crime Agency, the Police and the Information Commissioners Officer.
Nature of Data Breach under GDPR
• Notification Under the GDPR, breach announcements are now mandatory. This requirement is to be done within 72 hours of first having become aware of the breach. Companies are also required to notify their customers, without delay or hesitation after first becoming aware or notified of a data breach.
With BA they may have not discovered the breach after two weeks of the violation however they acted immediately when alerted about the data breach. The CEO emailed customers involved within 24 hours, which was within the GDPR time frame of 72 hours. However, BA breached GDPR by originally failing to correctly inform customers within the 72 hours of who they could contact if they had questions about the breach, and what steps BA would be taking to deal with the data breach. BA then had to send a second email to customers with additional information, which wasn’t in the given time frame of GDPR
• Privacy of design calls for the presence of data protection from the beginning of designing systems, rather than an addition. More importantly and specifically companies must implement appropriate technical and organisational measures in an effective way. To meet the requirements of GDPR which is to protect the rights of the data subject.
There is no denying that BA had a data breach under GDPR, as its clear 380,000 passengers have had their personal information compromised. With also the company admitting that the breach involved personal data and took place after the GDPR. It comes at a time when cyber-attacks are exceedingly sophisticated. They also believe that it was the same individuals that hacked Ticket Master.
With such a mammoth breach and countless affected, with a 2-week delay of BA noticing the breach. As well as this being the first test case for the GDPR the consequences for BA could be enormous as to establish an example to other companies.
The risks and consequences for British Airways
Under GDPR companies in breach of GDPR can be fined up to 4% of annual global turnover In BA’s case £500 million. This is the maximum penalty that can be imposed for the most serious breach e.g. Privacy by Design concepts which we mentioned above. As well as this huge fine that could be imposed on BA there are other risks and consequences BA could face.
• If they hacked BA for two weeks without being noticed, they can hack other airlines such as Ryanair. As it was mentioned the individuals involved in the hacking of BA were meant to be the same individuals that hack Ticket Master. This could have a serious impact on other airlines as well as a reoccurrence for BA if they did it once they can do it again.
• Now that BA has been hacked, BA can no longer use the same software that they have been originally using. As it’s no longer secure or safe to use. This will now be a major job for BA as they will need to find a company to provide new software that is more secure than their old software. Which could find difficult as they taught, they had the latest and finest security. Not only do they have to update their software, but they will have to replace all their software they have. To prevent a further attack on BA data. This will have a financial impact as well as a time-consuming factor on BA.
• There could be major legal cost. As 380,000 individuals were affected this will have major fee’s for BA as many people are suing for non-material damages. These damages are related to issues like the stress endured from having their personal Information stolen.
• As well as legal fee’s BA will also have to compensate every single one of the 380,00 customers that have been effect. This will be another financial impact for BA.
• BA reputation could be affected as the severity of the data breach and the vast amount of people who were affect. This could have an enormous impact for BA. The risk now could be, that their reputation has been harmed which is a company’s most important and valuable assets. Their high-profile brand name is very valuable and can be highly vulnerable to negative events such as the GDPR breach. This could immensely affect their sales and profits. Customers may not feel secure when booking with BA due to the breach. They may decide to book with other airlines as a precaution, as their confidence in BA could be affected. It’s much easier to lose customers then to gain loyal customers. With so much competition e.g. Ryanair €7.99 flights, who knows how many customers BA will lose, certainly the 380,000 who were affected won’t be using their service again.
BA Board of Directors will have consequences and be affected as the blame lies with them. They must answer to why this had happened and why it took so long for them to realise the breach. Two weeks went by before anyone noticed which wasn’t even BA themselves that noticed it, it was another airline. So, this could have went on for some time before it went noticed by BA and thousands and thousands more individuals could have been affected. The Board on directors must now prove and defend themselves as they face the massive fine off GDPR as well as massive reputation damage and a heavy financial impact. Its also there responsible to resolve and prevent and further event again that may occur again.
As the case is still ongoing its not certain what will be the outcome for BA. It’s the first GDPR case since it was introduced, its unknown what will likely be the outcome. They could make an example out of BA to show to other companies how serious GDPR is and that it shouldn’t be taken lightly. There’re massive consequences involved when companies are in breach of GDPR. They could also go the total opposite direction and go lightly on BA. They are the first case and they have no examples to go by or to rely on, and if BA can prove they did everything they could in their power to prevent it and they have a good case, BA may go away from the case with a little lighter fine. The outcome will certainly be a fine as data have been breached the question everyone wants to know is how much of a fine will it be. In my opinion I believe that GDPR will.
From my extensive research of GDPR and British Airways it is evident that regulations like GDPR are extremely important. Especially in a society where technology is increasing and doesn’t seem to be slowing down in terms of development. GDPR is critically important as it gives rules and standards for companies like BA to comply with and sets out that all EU citizens are protect from privacy and data breaches. As we can see there are many risks and consequences involved when GDPR has been breached as we can see from the above with BA. The findings show that breaching will always have a major financial impact on companies and major reputation damage. Since GDPR has been introduced, breaches will be reported and known worldwide. The consequences for BA are yet still not known as the case is still ongoing and being investigated however from my research of GDPR it’s highly unlikely BA will go unpunished. BA will certainly be handed a fine from GDPR, as data has been breach, we will all just have to wait along with BA and see how much of a fine will be served and if they make a good example from BA for further events or will they serve BA a light fine.
BBC (2018). BBC NEWS. video Available at: https://www.bing.com/videos/search?q=british+airway+gdpr+videos&view=detail&mid=A7E4578E1419DB1DA30607E4578E1419DB1D&FORM=VIRE Accessed 11 Nov. 2018.
EXPRESS.COM (2018). BRITISH AIRWAYS DATA BREACH. video Available at: https://www.bing.com/videos/search?q=british+airway+gdpr+videos&view=detail&mid=E42422185B38424C2D91E42422185B38424C2D91&FORM=VIRE Accessed 11 Nov. 2018.
Eugdpr.org. (2018). Key Changes with the General Data Protection Regulation – EUGDPR. online Available at: https://eugdpr.org/the-regulation/ Accessed 4 Nov. 2018.
Britishairways.com. (2018). Boeing 747-400 | About BA | British Airways. online Available at: http://www.britishairways.com/travel/boeing-747-400/public/en_gb Accessed 4 Nov. 2018.
Calder, A. (2018). EU GDPR. Ely: IT Governance Ltd.
Oneworld.com. (2018). British Airways – oneworld, Heathrow, round the world airfare. online Available at: http://www.oneworld.com/member-airlines/british-airways/ Accessed 6 Nov. 2018.
PYMNTS.com. (2018). Carillion May Prompt Supplier Payments Standards | PYMNTS.com. online Available at: https://www.pymnts.com/news/b2b-payments/2018/carillion-supplier-payments-standards-late-invoices/ Accessed 6 Nov. 2018.
Theregister.co.uk. (2018). Generally Disclosing Pretty Rapidly: GDPR strapped a jet engine on hacked British Airways. online Available at: https://www.theregister.co.uk/2018/09/12/ba_equifax_breach_notification_speed/ Accessed 11 Nov. 2018.
En.wikipedia.org. (2018). British Airways. online Available at: https://en.wikipedia.org/wiki/British_Airways Accessed 11 Nov. 2018.
Britishairways.com. (2018). Explore our past | History & Heritage. online Available at: https://www.britishairways.com/en-gb/information/about-ba/history-and-heritage/explore-our-past Accessed 11 Nov. 2018.
PYMNTS.com. (2018). British Airways Data Hack a Test Case for GDPR | PYMNTS.com. online Available at: https://www.pymnts.com/news/regulation/2018/british-airways-data-breach-gdpr-compliance-data-security/ Accessed 12 Nov. 2018.
Out-law.com. (2018). British Airways: data breach waters muddied. online Available at: https://www.out-law.com/en/articles/2018/november/british-airways-data-breach-GDPR-/ Accessed 12 Nov. 2018.