The update to general data protection regulation (GDPR) stipulates that firms must report a breach within 72 hours. It took British Airways just one day to announce it had been hit by a cyber-attack between 21 August and 5 September. On 6 September, the airline informed its customers that details from around 380,000 booking transactions had been stolen, including bank card numbers, expiry dates and cvv codes.

Soon afterwards, it was discovered the details were taken via a script designed to steal financial information by ‘skimming’ the payment page before it was submitted. Security researchers now think the perpetrator is the same group that breached Ticketmaster in June this year, Magecart.

Despite BA’s quick reporting of the breach, experts think the airline could be hit by a huge fine under the GDPR, which came into place on May 25. Previously, the largest fine issued by the Information Commissioner’s Office (ICO) was £500,000.

But under GDPR, firms can be fined up to 4% of turnover: In BA’s case £500 million. If the airline’s parent group International Airlines Group (IAG) is held accountable instead, the number could be even higher.

And of course, the fines are in addition to any compensation BA needs to pay to customers who might have suffered financial fraud as a result of the breach. But the costs do not end there: BA has been threatened with a £500 million class-action lawsuit in a UK court by law firm SPG Law. It alleges BA is liable to compensate for non-material damage under the Data Protection Act 2018, the UK’s implementation of GDPR.

#GDPR #BritishAirways #BA #DataBreach # Fines #ICO #IAG #Airlines #CreditCards