British Airways revealed on Wednesday that payment card records of approximately 380,000 customers had been hacked over a 15-day period from mid-August to early September. It was apparently told about the breach by a third party – in other words, its own security testing and monitoring was inadequate to protect its customers’ transactions.
Any payment card breach is also a de facto personal data breach and has to be reported to the ICO under the GDPR/Data Protection Act 2018. It is alleged that BA was not, at the time of the breach, fully compliant with the requirements of the PCI DSS, which applies to all organisations that process payment cards. If this is the case – and it’s very difficult to see how it might not be – then the immediate consequences for BA are likely to be as follows:
- A PCI SSC forensic investigation, paid for by BA, designed to determine exactly what happened.
- The ICO investigation is likely to recognise a significant degree of negligence in protecting personal data, because PCI compliance should be a given for any payment processor – which means that fines will tend to be at the top end of the possible range. A breach of the GDPR’s sixth data processing principle, that personal data must be secured appropriately, means that the higher tariff (up to 4% of global turnover) is the appropriate basis for determining ICO penalties. Of course, if the ICO’s investigation were to reveal that the negligence extended to BA’s parent company, IAG, then you might expect fines to be levied on the basis of IAG’s global turnover.
- The direct customer compensation bill is still undetermined but, as BA has guaranteed that it will reimburse any financial losses, it may run into millions of pounds.
- Legal firm SPG Law is also seeking financial compensation from BA on behalf of passengers for the non-financial damages they have suffered, including “inconvenience, distress and misuse of their private information”. (See this article for more detail.) Newspaper reports suggest this alone may cost BA £475 million. Such an action is explicitly allowed under the GDPR, and this may be the first of many such actions that breached organisations have to contend with.
- All of this will undoubtedly divert management from running the business, will divert customers, and will compromise both revenue and profitability.
A shareholder in Nielsen Holdings PLC, a company quoted in both London and New York, is seeking to bring a class-action law suit against Nielsen, as well as its CEO and CFO, for allegedly misleading statements about its GDPR compliance and preparedness. This story provides the detail. The critical learning point is that, if an organisation claims that it is GDPR-compliant and it is not, then it faces a significant risk of exactly this sort of legal action, which, again, will tie up management for a considerable period as well as potentially affecting both the top line and the bottom line. And what’s the likelihood that Nielsen’s public outing as not being GDPR-compliant triggers a series of further attacks and law suits?
British Stena Line
The bank accounts and other personal details of 800 UK staff of Stena were compromised as a result of a successful phishing attack, as described in this article. Two questions in the ICO’s data breach reporting form are:
- Had the staff member involved in this breach received data protection training in the last two years?
- Describe any measures you had in place before the breach with the aim of preventing a breach of this nature
It appears that Stena failed to adequately train staff to spot and deal with phishing emails; phishing is, after all, one of the most common and most successful attack vectors for cyber criminals right now, so staff should be trained probably quarterly on how to identify these emails and organisations need robust processes for dealing with them.
Data should also be encrypted. If Stena had encrypted its staff records, it would likely not have to report the data breach!
Shareholders and investors are increasingly concerned over boards’ capabilities to adequately deal with cyber security and data protection risks to organisations (see this Financial Times article).
While there is no real substitute for boards actually getting to grips with the issues, there is also no real substitute for the assurance that comes from implementing an integrated management system that complies simultaneously with both ISO/IEC 27001 and BS 10012.
In GRC International Group, we’ve done that already; we’re also working with a number of clients to help them achieve a similar standard – which will give their stakeholders and customers some peace of mind that one of the 21st-century’s biggest governance issues is being addressed.
Get #BreachReady today
The EU GDPR (General Data Protection Regulation) requires all data controllers to report certain types of personal data breaches to the ICO (Information Commission’s Office). You must do this within 72 hours of becoming aware of the breach where feasible.
Finding out what the breach is, who has been affected, how extensive it is and how it happened within 72 hours is not easy — especially when organisations want to use this time to start fixing damage caused by the breach.
Your organisation needs to be #BreachReady. IT Governance has put together all the information you require to begin your journey to breach readiness: