Head of Data Protection, Patrick Wheeler, comments on the British Airways data breach and its impact

07 Sep 2018

The recently reported data breach affecting British Airways customers highlights the importance for all businesses of applying and reviewing appropriate data security measures, which is one of the key principles of the GDPR. 

It is rather surprising that it took over 2 weeks before the data breach was discovered, and this means that a very large number of customer transactions are likely to be affected. This breach will need to have been reported to the ICO within 72 hours of discovery. BA have already assessed the breach and decided to inform the data subjects. The ICO are likely to conduct a thorough investigation of BA’s security and if it is found wanting then it has the power to impose a fine of up to €10 million or 2% of BA’s worldwide turnover. If BA is found in breach of Article 5 GDPR, such that it did not ensure appropriate security of the data, including protection against unauthorised or unlawful processing, then the maximum fine could be doubled.

BA has immediately taken steps to investigate the breach and put a stop to it, to notify customers and publicise the steps that it is taking. These are all important to mitigate both the effects of the breach and the severity of enforcement action by the ICO. However, it is already clear that BA is suffering reputational damage and while some commentators believe this will quickly pass, much will depend on the extent of the breach once the full story is clear. It is very often the case that the extent of the breach is worse and sometimes much worse than the initial report suggested. 

There is still a great deal of work for BA to do.

Additional information