British Airways: data breach waters muddied

The uncertainty has arisen because the company has now disclosed that a second dataset was potentially compromised, which it uncovered when investigating the first dataset. The incident is now believed to have first occurred earlier this year prior to 25 May 2018 – the date the GDPR took effect.

It is unclear yet whether there is a link between the two datasets, but the latest announcement by the company does highlight a number of issues that the UK's Information Commissioner's Office (ICO) is likely to have to consider.

The first dataset (event one)

On 6 September 2018, International Airlines Group (IAG), the parent company of British Airways, publicly announced that personal data belonging to customers of the airline had been stolen in a cybersecurity incident that impacted its website and mobile app. The company said the "theft" took place between 22:58 BST on 21 August 2018 and lasted until 21:45 BST on 5 September 2018.

According to the statement at the time, the stolen data included personal and financial details of customers making bookings and changes on ba.com and the airline’s app, but did not include travel or passport details. The company said it had reported the incident to the ICO, as well as the UK's National Cyber Security Centre (NCSC).

In an interview with the BBC, BA chief executive Alex Cruz described the incident as a "sophisticated, malicious criminal attack". The company initially said that it thought the data breach impacted approximately 380,000 transactions, but confirmed in a follow-up statement issued on 25 October that "fewer of the customers originally identified were impacted" as the details from 244,000 payment cards "were affected".

The second dataset (event two)

IAG's follow-up statement on 25 October also contained details of a second dataset that the company said the airline had uncovered as part of an internal investigation into the first dataset.

According to the statement, British Airways has warned the holders of 185,000 payment cards that their data may have been compromised too in a security breach impacting customers making reward bookings between 21 April and 28 July this year, and who used a payment card.

"The investigation has shown the hackers may have stolen additional personal data and British Airways is notifying the holders of 77,000 payment cards, not previously notified, that the name, billing address, email address, card payment information, including card number, expiry date and CVV have potentially been compromised, and a further 108,000 without CVV," IAG's statement said.

CVV is the security code that is printed on the back of payment cards which customers have to fill in during online transactions.

Issues for the ICO to consider

The ICO has confirmed that its investigation into the British Airways data breach is "ongoing". The second event that British Airways has reported potentially complicates how the watchdog considers the company's compliance with data protection laws, however.

When British Airways announced details of its first event in September, it appeared to be a personal data breach that was reportable under the GDPR and that the company's compliance would be considered under that new regime. This is because the company confirmed the breach involved personal data and that it had taken place after 25 May 2018.

Organisations are obliged to disclose certain personal data breaches to data protection authorities and affected individuals under the GDPR. A personal data breach is defined under the Regulation as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed".

Organisations must notify local data protection authorities of personal data breaches they have experienced "without undue delay and, where feasible, not later than 72 hours after having become aware of it ... unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons". In addition, where there is a high risk of damage arising to the data subject then the data subjects must be informed directly without undue delay.

In the British Airways case the ICO will have to first consider whether there is a link between event one and event two. If there is, it could be argued that both events should be considered under the Data Protection Act 1998, since event two  appears from what the company has said to have started before the GDPR took effect and may well be linked to event one.

The ICO has previously confirmed to Pinsent Masons, the law firm behind Out-Law.com, that incidents which occur prior to 25 May 2018 will be considered under the Data Protection Act 1998 – the Act that applied until the GDPR, and new Data Protection Act 2018 in the UK, took effect on that date this year. None of the provisions in the GDPR will apply to incidents which occurred before 25 May 2018, it said.

Out-Law.com asked the ICO to confirm, in light of British Airways' latest update, which rules it is investigating the company's compliance with. An ICO spokesperson said it was too early in the watchdog's investigation to answer that question.

There may be other complicating factors

Comments made by the ICO in January this year hint at another factor which it could give consideration to. At the time it appeared to suggest that businesses that had known security vulnerabilities prior to 25 May 2018 but ignored them would potentially be subject to the GDPR's rules if a personal data breach occurred after 25 May 2018 that stemmed from those known vulnerabilities.

The comments were made by Nigel Houlden, head of technology policy at the ICO, in a blog published by the watchdog on the subject of security patching.

Houlden said: "Failure to patch known vulnerabilities is a factor that the ICO takes into account when determining whether a breach of the seventh principle of the Data Protection Act is serious enough to warrant a civil monetary penalty. And, under the General Data Protection Regulation taking effect from May 25 this year, there may be some circumstances where organisations could be held liable for a breach of security that relates to measures, such as patches, that should have been taken previously."

An organisation does not actually have to have experience a notifiable "personal data breach" to be at risk of a fine under the GDPR. Late detection of a security incident or failure to adequately remedy a related incident could be indicative of processes and procedures that do not achieve compliance with the 'security of processing' rules under Article 32 and/or the overarching basic data security principle under Article 5(1)(f) and call into question whether an organisation’s GDPR implementation programme had been sufficient to achieve compliance by 25 May 2018 on high risk areas such as data security.

Under the GDPR, data protection authorities that find businesses have breached Article 32 will be able to issue fines of up to 2% of the company's annual global turnover or €10m, whichever is highest. However, fines of up to 4% of annual global turnover, or €20m, can be levied where breaches of the Article 5 basic principles are identified.

A further issue the ICO is likely to have to consider is whether the customer data British Airways has admitted was compromised, the first dataset, and potentially compromised, the second dataset, concerns customers from different countries. If it does, the case is likely to be considered a cross-border one which other data protection authorities in the EU have potential influence over under the GDPR's cooperation and consistency mechanism.

Data protection authorities from other EU countries whose citizens have been affected by the breach may hold a different view from the ICO on whether a breach falls subject to the GDPR, whether there has been non-compliance with its provisions and whether it is appropriate to issue a fine. The cooperation and consistency mechanism gives 'concerned' data protection authorities the right to make comments and express their opinion on the ICO's handling of a cross-border case and requires the ICO to take due account of those views.

If there is a divergence of views then the case could go to the European Data Protection Board to issue a decision. This has to be done before the ICO issues any decisions including any taking any enforcement action to the data controller.

Ian Birdsey, Kathryn Wynn and Michele Voznick are experts in data protection law at Pinsent Masons, the law firm behind Out-Law.com.