British Airways has revealed a major data breach, with the personal and financial records of nearly 400,000 customers being compromised.
The airline revealed the hack happened over a sustained period of two weeks, from 21st August and 5th September 2018.
It remains to be seen whether BA becomes the first major brand to be hit with new GDPR legislative fines, which can amount to as much as 4% of a business’s annual turnover.
Under GDPR legislation, any business experiencing a data breach must inform regulators within 72 hours of becoming aware of the incident. The UK’s data regulator, the ICO, has been informed and is currently “making inquiries”, according to a spokesperson.
The ICO is yet to hand out any major fines under the new legislation, and earlier in the year, the regulator's head of risk and governance at the Louise Byers stated:
“Our policy makes it clear that we won’t be changing our approach to fines in four days’ time. Our aim is to prevent harm, to put support and compliance at the heart of our regulatory action. Voluntary compliance is the preferred route, but we will back this up with strong action where necessary. Hefty fines can be and will be levied on those organisations that persistently, deliberately or negligently flout the law.”
Byers added: “If you report a breach to us, engage with us and show us effective accountability measures, then we will take this into account when considering regulatory action.”
Alex Cruz, British Airways' chairman and chief executive has seemingly heeded this call, issuing an early plea to customers: "We are deeply sorry for the disruption that this criminal activity has caused. We take the protection of our customers' data very seriously."
Any customers who have made bookings via the airline’s app, or via ba.com, have been told to contact their banks and credit card issuers. However, the airline is required under GDPR to contact affected customers personally:
"If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay," guidelines from the Information Commissioner’s Office (ICO) states.
Rachel Aldighieri, MD of the Direct Marketing Association (DMA) believes BA will need to be more transparent in the immediate future:
"It is imperative that British Airways is forthcoming with information and advice to affected customers on what this means for them and how they can protect their personal information and payment details,” says
“Accountability and transparency are two of the core principles of GDPR, which means British Airways has a duty to ensure their customer data is always secure. They need to show that they have done everything possible to ensure such a breach won’t happen again.
“The risks go far beyond the fines regulators can issue – all be it that these could be hefty under the new GDPR regime. The long-term effects on customer trust, share price and public perception could have more lasting damage to the brand."
The data breach comes as British Airways is in the midst of a slide in fortunes. Its World Airline Award ranking has slipped from 1st in 2006 to 40th in 2017. And whilst profits are stated to have been up last year after a similar slide, its customer service ranking has plunged in recent years.
Research by Which? shows the airline received a customer score of just 52% - a drop from 67% in 2016, putting it third-bottom amongst short-haul carriers.
About Chris Ward
Chris is Editor of MyCustomer. He is a practiced editor, having worked as a copywriter for creative agency, Stranger Collective from 2009 to 2011 and subsequently as a journalist covering technology, marketing and customer service from 2011-2014 as editor of Business Cloud News. He joined MyCustomer in 2014.