The aftermath of the cyber attack on British Airways’ data systems provides a textbook example of why Europe’s senior management must apply more attention to their organisations’ IT security provisions – and gain better understanding of the cyber threats they now face. Embarrassing though the theft of 380,000 customer transaction details has been for the airline, the wider impacts will make themselves felt on BA’s line-of-business.
In the UK, the market is waiting to see how the Information Commissioner’s Office (ICO) will react to the BA incident, and it will be months before an investigation concludes. True, BA complied with Article 33 of GDPR, in that it notified the supervisory authority of the breach within 72 hours of discovery. But that won’t save it from a fine for inadequate systems security.
If the ICO decides that a penalty is due, it has yet to be determined if it will fine BA itself or parent company, IAG. The regulator can theoretically fine an organisation up to 4% of its annual turnover. BA’s revenue for 2017 was £12.2bn; IAG’s revenue in 2017 was €22,972m.
Customers across Europe affected by the data breach have already been urged to stake their claims for due compensation. BA has offered to compensate eligible individuals for direct financial losses because of the breach incident; but it has not agreed to pay compensation for ‘non-material damage’, despite being liable to do so under GDPR, some sources report. This ‘is not good enough’, says legal firm SPG Law, which has set-up a website for BA customers who feel entitled to more compensation, and want to join a group action to represent their claim. If successful, such a group action could add millions to the total costs of BA’s breach.
Then there’s the question of how market investors will react. After September’s disclosure, BA shares fell 1.35%, or 9.2p, to 672p per share.
These repercussions are business impacts that will be absorbed by BA’s executive leadership, rather than its IT operations, although that part of the airline will certainly be under renewed pressure to ensure that no further technological mishaps occur. The full extent of business impacts that IT security failures cause is often revealed only after a breach occurs; Europe’s business leaders should learn from BA’s experience.