British Airways may become the first high-profile company to run afoul of Europe’s far-reaching data privacy rules — and face potentially hefty fines — after a computer hack compromised credit card data from some 380,000 customers.
The European Union’s General Data Protection Regulation, or GDPR, which took effect in May, mandates that companies have to take technical precautions such as encryption to ensure client data is protected. It also states that firms must notify authorities about breaches within 72 hours after learning about them.
“This is one of the first big tests of GDPR,” said Julian Saunders, founder of Port.im, a British software maker that helps businesses adapt to the rules. The question for regulators is “whether BA’s actions warrant a fine.”
Violations can be punished with as much as 4 percent of a company’s annual sales, which for BA could reach about 489 million pounds ($633 million) based on 2017 figures.
The hack at BA lasted for more than two weeks during the months of August and September, with intruders getting away with account numbers and personal information of customers making reservations on the carrier’s website and mobile app. Chief Executive Officer Alex Cruz has apologized to clients in a letter and urged them to contact their bank or credit card provider.
“This looks like a classical data breach,” Konrad Meier, a specialist on data privacy laws at EY in Zurich, said in an interview. “The authorities will now want to understand how and why this happened in order to determine whether it could have been prevented.”
Should regulators conclude that BA failed to take measures to prevent the incident, “a fine may follow,” he said.
Asked about the prospect of a possible fine, a spokeswoman for the carrier, which is owned by International Consolidated Airlines Group SA, said in an email that its main concern “is to take care of the customers that may have been affected.”
BA and IAG are likely to be liable for consequent losses, but probably have insurance in place to cover such expenses, RBC Capital Markets analysts including Damian Brewer said in a note. Still, the incident risks hurting the airline’s reputation, especially because the company has suffered other IT failures, they said.
A data breach doesn’t necessarily mean a company is at fault, EY’s Meier cautioned, as “even best-practice security standards can be hacked.”
A spokeswoman for the UK’s information commissioner’s office, known as ICO, said BA “has made us aware of the incident and we are making enquiries.”
BA responded in an “exemplary manner” and the data appears to be have been intercepted before it went to the airline’s servers — so encryption and other security measures would not have prevented it, according to Port.im’s Saunders. Yet the carrier may still be vulnerable to sanctions.
“The ICO may use this breach as a warning to other big companies that it means business,” he said. “At some point a line needs to be drawn and this might be the best time to do it.”