British Airways (BA) has reached a settlement with the claimants of the massive 2018 data breach that affected over 420,000 of its customers’ personal data. Although the airline has not admitted liability, it has agreed to pay a financial settlement to avoid taking the case to the courts. The settlement is a milestone for data privacy and a warning to businesses that they must take data privacy seriously.
The settlement terms and payout remain confidential but PGMBM, the firm dealing with the group claim, said in January that BA could face customer claims totalling £800m – up to £2,000 per person. In addition to this, BA has had to pay a £20m fine to the Information Commissioner’s Office (ICO) for failing to comply with the General Data Protection Regulation (GDPR).
Data breaches are a fact of life for many businesses as more and more systems move online, but companies must take all the precautions they can to avoid a similar fate to BA, experts told Tech Monitor.
BA data breach: what happened in 2018?
On September 7 2018, BA sent an email to customers revealing that its IT systems had suffered a cyberattack affecting clients who made bookings through the BA website or app between August 21-September 5.
The data compromised included names, addresses, email addresses, payment card information (including CVV numbers), and BA employees’ logins. The cyberattack, which BA took more than two months to detect, affected approximately 429,612 customers and staff.
The airline said at the time that the “sophisticated, malicious criminal attack” had been the work of hackers, but information about the incident is no longer available on BA’s website.
An investigation by the ICO found that BA was processing personal data without adequate security measures in place. Investigators concluded that BA could have implemented measures available at the time to prevent or mitigate the risk of cyberattacks, including undertaking rigorous testing, protecting employee and third-party accounts with multi-factor authentication, and limiting access to applications, data and tools to only that which are required to fulfil a user’s role.
“When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives”, information commissioner Elizabeth Denham said in a statement at the time. “The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.”
The original ICO fine received by BA was £183m – the highest GDPR penalty ever awarded at the time. However, in October 2020 it was reduced to £20m after BA appealed based on the economic impact of Covid-19. The ICO also considered BA’s improvements to the airline’s IT security systems.
Under GDPR, companies can be fined up to €20m (£17m) or 4% of annual global turnover, whichever is higher. Penalties are not used for customer compensation as fines issued by the ICO are paid into a central government fund which belongs to the Treasury.
The 2018 breach was the last in a series of technical fiascos for BA. In May 2017, the airline had to cancel all flights for a day from London’s Heathrow and Gatwick airports because of an IT system outage, leaving thousands of passengers stranded. BA’s owner, IAG, saw its shares fall by 4% and its reputation severely damaged.
What do data privacy experts think of the BA data breach settlement?
Samantha Simms, data privacy attorney and CEO of digital compliance consultancy firm The Information Collective, welcomes the BA settlement as a victory for consumer data privacy.
Data breaches are a when, not an if, and UK consumers are now using their right to class action.
Samantha Simms, The Information Collective
“I think this is great news because we're seeing a class action being brought against a business under the GDPR,” Simms tells Tech Monitor. “It is a good reminder to all the companies that you do need to have your insurance in place and you need to have good security measures because data breaches are a when, not an if, and also because UK consumers are now using their right to class action.”
However, Andrew Brenton, owner and director of IOLIS Legal Services, says that the BA settlement is not so good news for smaller companies who may now face pressure to provide settlements where data breaches have occurred, since the absence of a judicial position will be likely to fuel future claims of this nature.
“The undisclosed settlement does little to establish any kind of benchmark for the amount of compensation that might be claimed,” Brenton says. “In my view, it would have been better to allow the matter to be argued in court so that we would have some precedent. It is quite understandable though, that BA has chosen to settle this out of court in order to reduce costs.”
Simms points out that GDPR enforcement by the ICO has been much lower than expected. Although the UK has accrued the fourth-highest level of GDPR fines, this is mainly due to the hefty penalties awarded to BA and Marriott Hotels, which was fined £18.4m last October. In terms of total fines issued, the UK is among the least active countries, and according to the GDPR Enforcement Tracker, has only issued four fines since May 2018.
This low enforcement could be due to a number of factors, explains Simms, including the pandemic delaying some enforcement actions and GDPR itself just coming to fruition. She also hinted that Denham, who is due to leave her post as information commissioner at the end of October, might not have been as strict with enforcement as expected.
“Perhaps a new regulator will have more vigour and be more vociferous in certain areas than the present information commissioner has been,” says Simms. "As the UK is starting to potentially depart from data privacy as we knew it under the GDPR and the European regime and starts to embrace more of a digital economy, I do question to what extent that will have an impact on regulator activity if the UK is trying to be more attractive for digital businesses.”
Some of the biggest data breaches Simms has worked on come from the travel and hospitality industries, which heavily rely on legacy systems plugged into one another and interconnected data. It is not unusual to see airlines and hotel chains among the top data breaches in history, including Marriot’s cyberattack affecting 339 million guests’ personal information or the more recent case of Sita, the IT operator of the Star Alliance of airlines including Singapore Airlines, Lufthansa and United.
“It’s an area that is ripe for data breach,” Simms adds. “This should be a big reminder to the travel technology payers, the airlines, the hotels, car companies… that plug into those travel technology companies. We all must be better.”