British Airways Data Hack A Test Case For GDPR


GDPR compliance has yet to be fully embraced by firms on a global scale, yet headlines from this past week show just what the repercussions might be against a new regulatory landscape.

As noted late last week, a data breach at British Airways was revealed – one that affected more than 380,000 transactions done over the company’s website, and may be among the first test cases of GDPR’s reach and impact.

The details of the hack itself: The bad guys grabbed onto the transaction data over a period of two weeks, beginning in late August and lasting into early September. The pilfered data included credit card information and data tied to individuals making reservations online, through the website and via the British Airways mobile app.

Among the first steps the firm took in the wake of the breach: CEO Alex Cruz apologized to those affected, and the victims have been told to contact banks or credit card firms.

Bloomberg reported that regulators – if they determine that the company should have had measures in place that could have prevented the breach – may levy fines.

The fine would come in tandem with mandates that are a few months old, and are part of GDPR. The law stipulates that companies take appropriate action in the wake of a breach and notify authorities within 72 hours of discovery. Companies could face fines of as much as 4 percent of global revenues – and in this case, British Airways could be on the hook for as much as nearly 500 million pounds, based on 2017 data.

Julian Saunders, who founded, a U.K. software firm that focuses on GDPR compliance, told the newswire that “at some point, a line needs to be drawn, and this might be the best time to do it.”

The fine would be contingent on findings that the company acted with negligence – and that has not happened yet, and it may not in fact be ruled to be the case. But in the meantime, British Airways has been cited in the financial trade press as having acted in a timely manner, alerting authorities and those consumers affected by the breach well within the aforementioned 72-hour window.

“BA’s reaction was very fast. The company’s transparency and frankness serve as a good example to other companies [that] are prone to minimizing the consequences,” Ilia Kolochenko, CEO of the web security firm High-Tech Bridge told Computer Weekly.

In further discussion of what might have happened, Kolochenko stated that “shadow IT and legacy applications are a plague of today. Large organizations have so many intertwined websites, web services and mobile apps that they often forget about a considerable part of them.” He also told the publication that “due to the GDPR, for example, many organizations had to temporarily give up their practical cybersecurity and concentrate all their efforts on paper-based compliance. New cybersecurity regulations may do more harm than benefit for the society if improperly imposed or implemented,” he said.

Credit Unions Eyeing Data Security, Too

A bit closer to home, and as noted in the Credit Union Times, the payments systems provider The Clearing House said research has shown that across 2,000 U.S. consumers, roughly one third have used FinTech apps in the past year. That seems to be a promising data point showing a continued embrace of technology in financial services.

And yet the consumers using those same banking services worry about data privacy a lot – 89 percent of them do, in fact.

As many as half of those surveyed said they are uncomfortable sharing payment and financial data with apps. A bit more than half said they want to be able to choose what data the third parties are allowed to access.

Said the study: “Consumers have the greatest concern about sharing their bank account usernames and passwords, and are least worried about FinTech apps accessing their investment information and history. When it comes to more sensitive personally identifiable information, such as Social Security numbers and biometric records, around 60 percent of FinTech users are not comfortable sharing their data with FinTech apps.”

As to who is trusted to keep data safe, the survey found that 56 percent of respondents said that the “primary” financial institution – that is, the bank or credit union – is responsible for data security. Roughly a third of respondents think such security efforts are the purview of non-banks.

Money Laundering Weaknesses

Beyond GDPR, regulatory concerns still abound, of course. As noted in Financial Times, regulators across the pond are also setting sights on money laundering controls – which some observers say may be too weak to deal with the scope and severity of threats. FT quoted a confidential report that found incidents such as those seen at Danske Bank show “shortcomings” in how authorities at the national and EU level work in tandem to short-circuit threats. Those shortcomings come as there is a lack of clarity surrounding process and cooperation, reported the publication. Suggested improvements include the creation of a memorandum of understanding that could boost coordination of data sharing and other efforts.


New PYMNTS Report: Preventing Financial Crimes Playbook – July 2020 

Call it the great tug-of-war. Fraudsters are teaming up to form elaborate rings that work in sync to launch account takeovers. Chris Tremont, EVP at Radius Bank, tells PYMNTS that financial institutions (FIs) can beat such highly organized fraudsters at their own game. In the July 2020 Preventing Financial Crimes Playbook, Tremont lays out how.