9 October, 2018
British Airways have found themselves the subject of a significant data breach where some 380,000 customers' data has been stolen. The hack is said to have taken place over a two week period from the 21 August to the 5 September, during which time personal and financial details relating to passengers were stolen. The airline however contends that this information did not include travel or passport details.
While financial information is not considered 'special' category personal data in accordance with the GDPR, the hack nevertheless remains of high severity due to the security codes or 'CVV' numbers which were accessed by the hackers. Access to this code along with credit card numbers and expiry dates allows for extensive misuse of cards. This information is considered particularly valuable and companies are not permitted to store this data. While British Airways insists that it did not do so, users who booked or amended bookings during the two week period were the victims of this information being stolen. It is crucial that personal data is protected by appropriate technical protection measures, which should be put in place to effectively limit the likelihood of identity fraud.
Timing is everything
The GDPR has clearly set out the requirement of notification of a breach. This requirement is two-fold and relates firstly to informing a supervisory authority and secondly a data subject.
A data controller should notify a personal data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the controller is able to demonstrate, in accordance with the accountability principle, that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.1
On the 7 September the Information Commissioner's Office ("ICO") stated that British Airways had informed them of their breach and that enquiries were being made.2 This successfully satisfies the notification period after having become aware of the breach the previous day.
Where a breach is likely to result in a high risk to the rights and freedoms of a data subject, the controller shall, without undue delay, notify the data subject to whom the breach relates.3
British Airways firstly contacted customers informing them that "financial details" had been "compromised", confirming a day later that this too included bank card numbers, expiry dates and CVV...