Data Breach Issue At British Airways: Consequences And Implications
- December 28, 2023/ Uncategorized
British Airways: A Brief Overview
For every organization, ethics is a basic conduct to do. Corporate governance and accountability is just another concept that is closely connected with ethics, The subject of corporate governance demands an organization to act in a responsible manner towards all of it is stakeholders. The current corporate world is much depended on technology and hence in such a scenario, it becomes the social responsibility of every corporation to keep the data of their customers secure in every way possible. Every nation has different laws and legislation to deal with the issue of data breaches. For instance, the European government has introduced the General Data Protection Regulation (GDPR), 2016/679 in the area of security data breach and protection. This assignment is mainly focused on the issue of a serious data breach. The study of the topic is very significant to understand the consequences of such events for the corporation as well as affected stakeholders. The same is also important for the reason that events of data breach lead a failure to corporate governance of a company. In the given assignment, a company will be selected an reviewed in respect to data breach issue and at last the possible consequences on the company of such breach will be discussed.
The company chosen for this research assignment is British Airways that recently has been reported a failure in the protection of personal data of it is customers. As the name of the company implies itself, the same is engaged in the business of flag carrier. This company is the largest airline company in the UK on the basis of fleet size and second largest airline of UK when it comes to passengers carried (Plunkett, 2008). The company has established in the year 1974 after the establishment of British airway Board by British Government. A company named BA CityFlyer is the wholly owned subsidiary company of British Airways (Lashley and Morrison, 2007). The company remains engaged in the performance of loyalty programs. British Airways provides many of the facilities to its customers such as short haul, Mid haul, and long haul. In addition to this, different kinds of cabins are also available for the customers from the side of British Airways (hereinafter referred to as BA).
It is no wonder in stating that many of the incidents and accidents have happened with BA. For example, in the year 2008, one of its flights suffered from a crash land issue (Simpson, 2014). Further, recently in the year 2018, an attack on the website of the company has been reported. In the discussion below, the detailed information regarding this cyber-attack is mentioned.
Data Breach Incident at British Airways
A statement has come out from the side of British Airways that people who made a booking of flight tickets with BA between a specific period i.e.21 August 2018 to 5th September 2018 can suffer from an issue of data Breach (Whittaker, 2018). The company has not informed much about the issue. It is not a general data breach but the same affected around 380000 customers. Their personal data has been stolen. After a detailed study of this data breach case, experts have stated that data of such customers probably would be available on the internet for the sale soon.
It was a clear breach of corporate governance. Although BA has not done anything with a wrong intention, yet the company failed to protect the data of customers. The cybersecurity officer assumed that personal data of the customers of BA such as details of credit cards, CVV written on the same and contact number might already exist there on the dark web. Dark web is a term that commonly refers to a corner of the internet that can only be accessed with the help of some software, that are developed with the intention of data breaches mainly (Vilches ,2017). Paul Lipman, chief executive of cybersecurity company Bullguard also said that the credit data was almost prepared for the movement of the dark web.
The data of 380000 customers fallen into danger overnight (Thehindubusinessline.com, 2018). BA made a statement that the data has not been stolen while the encryption but the hackers used some more powerful and very sophisticated techniques and methods. In the investigation process, cybersecurity experts said that as CVV of the card was also involved in the stolen data, it is clear that hackers have stolen the data at the time when the customer was filling their information on the website and not the later on from the database of the company. A cybersecurity expert and head of research Simon Migliano, provided an estimation of the cost of stolen data and stated that it could worth of £21.5m in total (theguardian.com, 2018). This was a very significant amount.
Moving towards the security law of the nation, this is to be stated that section 2 of the Data Protection Act 2018 that one should process personal data of individuals carefully, fairly and lawfully. Section 3 (2) of the act provides a definition of data (Legislation.gov.uk, 2018). The act provides the manner in which personal data of individuals should be processed and provides that what activities, one should not adhere while dealing with the personal data of others. Here, in the subjective case, BA breached certain provisions of this act as the same failed to secure the data of customers, irrespective of the fact that it was not on a fault. Most of the provisions of current data security act are similar to GDPR (Local.gov.uk, 2018). As company breached the provisions of the subjective act, this can be stated that the same also failed to provide security to the data of its customers under GDPR.
Violations of Security Law and GDPR
Whenever a company fails to comply with the regulations of privacy or data protection law, many adverse consequences come across. At the first instance it seems like that the only affected people are those whose data was stolen, but after a details study of such issues, one can get to know that a company also suffers from many losses, whenever same fails to provide security to the personal data of customers and other stakeholders. In the studied case also, British Airways faced many risks and adverse consequences after the incident of a data breach. These risks and consequences are mentioned as below.
- Damages: – Damages is the compensation amount that a guilty party has to give to victim party in a case for the harm and damage caused to him/her by the act of the guilty Article 82 of GDPR states that a person who suffers from non-material or material damage because of infringement or breach of this regulation has right to ask for the compensation from processor or controller for the suffered damage (Lambert, 2016). This article further says that a controller will be held liable and responsible where he/she breach any of the instruction provided to him/her under this regulations.
British Airlines made a promise that no customer will face out of pocket expenses cause of this cyber-crime incident. However, BA has not made any comment on the lawsuits but commented on the direct losses suffered by the customers. BA stated that the company would reimburse every direct loss that the customers faced because of data breach incident. BA also recommended that the customers who have their bookings during the period 2:58 BST August 21, 2018, and 21:45 BST September 5, 2018, can contact their card providers or banks to check out the balance details. These were direct damages that BA got ready to pay the victim parties. Nevertheless, what about the indirect losses and damages? Special Protection Group (SPG) law said that BA is also responsible to pay the indirect damages to victims as they have suffered from mental stress and inconveniences because of data breach incident (Theweek.co.uk, 2018). SPG law made a reference of article 82 of GDPR and said that even law provided damages for the non-material breaches. It is a risk that BA can face in future because SPG Law stated that the same will bring a collective claim for the non-material damages on behalf of multiple victims.
It means BA is at a risk to pay the material as well as non-material damages to victims that will affect the financial condition of the company in the future.
- Class actions: – Apart from the damages, class actions is another threat to BA that this company can face in the future. A class action is a kind of a joint suit that many people from one specific class bring against the guilty person. In an organization, many of the stakeholders are there that can bring a collective class action for a wrongful conduct. In this case, BA can face a class action form the group of it is customers who have suffered from the issue of a private data breach. Further, BA has been threatened that a class action lawsuit will be initiated against the company in the UK court which will lead an addition cost worth £500 million to the company (Schwartz, 2018).
- Penalties:- Damages are the amount which a guilty party has to pay the victim parties, but penalties are the fines that a person has to pay to court and authority for the breach of provisions of a law. Regulators stated that they are making inquiries against BA. Many other regulators such as the Information Commissioner’s Office (ICO), the National Cyber Security Centre, and UK’s National Crime Agency are making this inquiry. The subjective breach has been reported after the introduction of the new privacy law of the nation. Data Protection Act includes the provisions of GDPR and BA can be held liable for the breach of the same.
If it happens, the company would have to pay a penalty of either 4% of global turnover or £17 million, whichever is greater. In the last December, the company has achieved a turnover worth £12.2 billion, and hence in this manner, a company can face a fine worth £500 million (Irishexaminer.com, 2018).
- Loss of Goodwill: – Goodwill of an organization is a valuable asset that an organization develops over a long period. Before the data breach incident, this company has a high goodwill in the eyes of customers but now trust of its customers fallen down. They now think that their personal information is not secured with the company. After the discussed incident, many of the affected customers twitted to BA and shown their anger and dissatisfaction with the services of the company. In addition to this, the authority under GDPR sent a mail to BA stated that the company needs to be more careful in future while dealing with the private data of customers. This shows that from regulators to customers, all ate not sure about the safety measure taking by BA.
Conclusion
To conclude the issue, this is to be stated that data breach incident brought and expected to bring many negative results to the company. It was a serious breach and affected almost 400000 valuable customers. Irrespective of the fact that the company was not guilty in actual, it led out an issue of breach of corporate governance. The case cannot be treated as an ethical breach as the company has not done anything with a wrongful intention and apologized to the public for the happening of the incident. After analyzing the whole issue, this is to say that the company can face many of the issues in the coming future including the financial as well as non-financial losses. New privacy law regulations are very new in the area and British Airways can be held liable under the same. Now, the company is required to be more concern and care and to notify the authority within 72 hours of data breach incident according to the provisions of GDPR. In addition to this, the company needs to understand that how valuable the data of customers are and therefore is advised to comply with the provisions of GDPR.
References
Irishexaminer.com. (2018) British Airways could face £500m fine as regulators probe data breach. [online] Available from: https://www.irishexaminer.com/breakingnews/business/british-airways-could-face-500m-fine-as-regulators-probe-data-breach-867441.html [Accessed on 30/10/2018]
Lambert, P., (2016) The Data Protection Officer: Profession, Rules, and Role. New York : CRC Press.
Lashley, C., and Morrison, A.(2007) Franchising Hospitality Services. Oxon: Routledge.
Legislation.gov.uk. (2018) Data Protection Act 2018. [online] Available from: https://www.legislation.gov.uk/ukpga/2018/12/pdfs/ukpga_20180012_en.pdf [Accessed on 30/10/2018]
Local.gov.uk. (2018) General Data Protection Regulation (GDPR). [online] Available from: https://www.local.gov.uk/our-support/general-data-protection-regulation-gdpr [Accessed on 29/10/2018]
Plunkett, J., W. (2008) Plunkett’s Airline, Hotel & Travel Industry Almanac 2009: Airline, Hotel & Travel Industry Market Research, Statistics, Trends & Leading Companies. Plunkett Research, Ltd.
Schwartz, M., J. (2018) British Airways Faces Class-Action Lawsuit Over Data Breach. [online] Available from: https://www.bankinfosecurity.com/british-airways-faces-class-action-lawsuit-over-data-breach-a-11478 [Accessed on 30/10/2018]
Simpson, P., (2014) The Mammoth Book of Air Disasters and Near Misses. UK: Hachette UK.
theguardian.com. (2018) BA customers’ credit card details ‘probably already for sale’. [online] Available from: https://www.theguardian.com/business/2018/sep/07/ba-british-airways-customers-hacked-credit-card-details-dark-web [Accessed on 29/10/2018]
Thehindubusinessline.com. (2018) British Airways web site suffers data breach. [online] Available from: https://www.thehindubusinessline.com/economy/logistics/british-airways-web-site-suffers-data-breach-380000-payments-affected/article24890064.ece [Accessed on 29/10/2018]
Theweek.co.uk. (2018) British Airways data breach: customers entitled to ‘distress’ compensation. [online] Available from: https://www.theweek.co.uk/96327/british-airways-data-breach-how-to-check-if-you-re-affected [Accessed on 29/10/2018]
Vilches, J. (2017) The Dark Web: What Is It and How To Access It [online] Available from: https://www.techspot.com/article/1177-dark-web/ [Accessed on 30/10/2018]
Whittaker, Z. (2018). British Airways customer data stolen in data breach. [online] Available from: https://techcrunch.com/2018/09/06/british-airways-customer-data-stolen-in-data-breach/ [Accessed on 29/10/2018]