British Airways is facing a multimillion-pound fine as it grapples with the fallout of a massive security breach last year. While thousands of customers had to cancel their credit cards after the 15-day data hack compromised 380,000 payments, the leading carrier had been fined £183m, the biggest penalty ever handed out by the UK’s ICO, Information Commissioner’s Office. As no information related to travel or passports was stolen in the British Airways hack, the airline stands surprised and disappointed by the ICO’s decision and plans to appeal.
British Airways Hack
The British airline had revealed the hack in September, just a few months after the European Union tightened data protection laws with the so-called General Data Protection Regulation (GDPR). On 6 September, the airline announced that the personal and payment details of tens of thousands of customers had been stolen during a data breach. The British Airways hack was described as a sophisticated, malicious criminal attack, compromising 382,000 transactions carried out on its website and app between 21 August and 5 September. Credit card details, including the card number, expiry date and three-digit security code CVV or card verification value were illegally extracted from the reservations system. Under PCI or the Payment Card Industry standards, the CVV digital must be discarded immediately after use. Though the airline had always been doing; unfortunately the attack saw the MageCart malware installed on the payment portal itself, allowing the capture of CVVs before they were discarded.The British carrier quickly responded to the criminal act to steal customers’ data. However, it found no evidence of fraud/fraudulent activity on accounts linked to the theft. The stolen data did not include travel or passport details.
Are Customers affected by the British Airways Hack?
About 380,000 people who booked their flight directly with the airline during the 15-day spell were affected by the security breach. Bookings that were made with the carrier directly or through travel agents outside this time-frame, were unaffected. Also travellers who booked BA code-share flights through other airlines’ websites, such as American Airlines, Aer Lingus, or Iberia do not have their details stolen.
General Data Protection Regulation (GDPR)
People’s personal data is just that – personal. When any organization fails to protect it from loss, damage or theft it is more than an inconvenience. It has announced it will levy a £183.39 million fine under the General Data Protection Regulation (GDPR) for the company’s failings. The BA fine is the first to be made public under the new rules, which came into effect in May 2018 in “the biggest shake-up to data privacy in 20 years. Prior to the European GDPR, data breaches of this type were subject to the Data Protection Act which capped the maximum fine at £500,000. However, the GDPR increased this limit to £17.92 million or four percent of a company’s annual global turnover, whichever is greater.
The British Airways breach is malicious and it’s likely to trigger further hacking attempts at cyber crime, with fraudsters sending out scam emails in a bid to obtain confidential information. Though BR has taken all appropriate steps to defend the airline’s position vigorously, it has warned its flyers that it does not contact any customers asking for payment card details. Also, any such requests should be reported to the police and relevant authorities.