The scale of the British Airways data breach has been described as “astounding” and “very worrying” by cyber security experts, after thousands of customers’ personal and financial data was obtained by hackers.
Who is affected?
BA has confirmed that bookings made between 22:58 BST 21 August and 21:45 5 September are thought to have been affected (approximately 380,000 of the airline’s customers) and those customers are likely to have had their personal and financial details compromised as a result.
Details such as personal information and payment data may have been stolen from those using the company’s website and mobile app to make bookings. However, BA explicitly stated passport details and travel plans were not accessed by the hackers and stressed that only people who hade bookings during the two-week period in question were at risk.
The more controversial part of the matter is that the hackers have also stolen the three-digit CVV security code, the storing of which by companies is prohibited by the PCI security Standards Council. British Airways insists it did not store the CVV numbers on its systems.
The full financial impact on affected British Airways customers may not be realised immediately, however, with the bank card details likely to pass through criminal forums on underground websites before they are used.
Security experts advised BA customers to be wary of scam emails that use credentials taken from this breach, and should consider cancelling their credit and debit cards for peace of mind.
“The breach has been resolved and our website is working normally,” BA said in a statement. “We have notified the police and relevant authorities. We are deeply sorry for the disruption that this criminal activity has caused. We take the protection of our customers’ data very seriously.”
BA has now recruited the help of the National Crime Agency and National Cyber Security Centre to investigate into how the incident was able to happen.
What does this mean from a GDPR standpoint?
BA said it began notifying affected customers at 22:00 on Thursday evening but that this process had been delayed due to the high volume of emails being sent.
The General Data Protection Regulation requires that companies take precautions to protect customer data and notify authorities of any breaches within 72 hours.
If it’s determined that British Airways didn’t do enough to protect consumer information, it could be facing a fine of up to 4 percent of its annual revenue (that works out to about 500 million pounds). That is a big “if,” though. Even well-protected companies can be hacked, so the mere fact that the data was compromised doesn’t mean the company is at fault. In the meantime, the company’s CEO has promised to compensate any customers financially affected by the hack.
This is one of the first major data breaches since the new regulations went into effect and regulators may see this as an opportunity to make an example of the company to show they are serious about enforcing GDPR.