Out-Law News 3 min. read
11 Sep 2018, 10:04 am
The "theft" took place between 22:58 BST on 21 August this year and lasted until 21:45 BST on 5 September, the company said.
The incident has been reported to the UK's data protection authority, the Information Commissioner's Office (ICO), which has said it is "making enquiries". The National Cyber Security Centre (NCSC) has also said that it is "working with partners to better understand this incident and how it has affected customers".
In an interview with the BBC, BA chief executive Alex Cruz described the incident as a "sophisticated, malicious criminal attack". The data breach impacted approximately 380,000 transactions.
According to BA's statement, the stolen data included personal and financial details of customers making bookings and changes on ba.com and the airline’s app, but did not include travel or passport details.
"Names, billing address, email address and all bank card details were all at risk," it said.
The company said the incident had been "resolved" but urged affected customers to contact their bank or credit card provider and to "follow their recommended advice". It said customers will be eligible for compensation should they suffer a loss a result of the breach.
"We take the protection of our customers’ data seriously and are very sorry for the concern that this criminal activity has caused," BA said. "No customer will be out of pocket as a direct result of the criminal theft of data from ba.com and the airline’s mobile app. Any customer who made a booking between 22:58 BST August 21 2018 and 21:45 BST September 5 2018 will be reimbursed for any fraudulent activity on their accounts as a direct result of the data theft and we shall advise the process for this in due course."
"We will be offering a 12-month credit rating monitoring service to any affected customer who is concerned about an impact to their credit rating, provided by specialists in the field and will share details of this in the near future," it said.
Ian Birdsey, a cyber risk expert at Pinsent Masons, the law firm behind Out-Law.com, said BA responded promptly in light of becoming aware of the data breach.
"Responding to cyber incidents is a team sport," Birdsey said. "It is important to join up individuals and teams from different disciplines and workstreams to respond successfully to breaches. This will include people skilled in IT forensics, PR and communications, as well as in legal and regulatory compliance."
Birdsey said that it would appear from the timeline of the breach disclosed by BA that the incident will be considered by the ICO under the General Data Protection Regulation (GDPR).
Organisations are obliged to disclose certain personal data breaches to data protection authorities and affected individuals under the GDPR.
A personal data breach is defined under the Regulation as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed".
Organisations must notify local data protection authorities of personal data breaches they have experienced "without undue delay and, where feasible, not later than 72 hours after having become aware of it ... unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons". In addition, where there is a high risk of damage arising to the data subject then the data subjects must be informed directly without undue delay.
Previously, only some organisations, including telecoms companies and financial firms, were obliged to report certain data breaches they experienced to the regulators.
"It is likely that the ICO will lead a comprehensive investigation into the incident including the factors which caused or contributed to the incident," Birdsey said. "Some reports have suggested the potential involvement of third parties including third party software, which are often a factor in incidents."
Birdsey said it is increasingly common for organisations to receive data subject access requests (SARs) following a data breach incident. As a result, he said BA will need to be prepared to deal with SARs submitted in the coming days and weeks in accordance with Article 15 of the GDPR.
He also said that BA should be aware of potential for the incident to trigger claims against the company and/or its directors and officers in view of any impact the breach has on the company's share price.