Blog » HOW TO HANDLE A DATA THEFT? SOME THOUGHTS ABOUT THE BRITISH AIRWAYS’ DATA BREACH
HOW TO HANDLE A DATA THEFT? SOME THOUGHTS ABOUT THE BRITISH AIRWAYS’ DATA BREACH
24 September 2018
You may have heard that British Airways suffered a serious data breach some weeks ago. As they reported the data of 380.000 passengers have been compromised during a 16 days period. The case was widely reflected in media and some press-organs talked about the possibility of a record GDPR fine and class-action against BA. Given that the breach is still under investigation, I do not wish to speculate on the fines but rather summarize how I see British Airways (BA) handled the data breach and what you can learn from it.
As it appears from the dates of the events the data breach affected the period from 21th August until 5th September.
On 6th September BA has already announced the data theft on press and according to the British Data Protection Authority they already received the notification about the data breach incident on 7th September.
The above timeline of the events shows that BA acted very quickly which is crucial when handling a data breach. An immediate action can prevent further harm and mitigate the risks of the data breach.
Obviously, BA thoroughly investigated the breach and identified what was the affected period, what data and which customers could be compromised and how the breach could happen.
At the early stage of the inspection BA discovered that the payments made on BA’s website and mobile app in the 16-days-perdiod were affected and basically financial details (bank card and credit card data) were stolen but not travel or passport details.
After BA reported the data breach, they continued the examination and found out that the data was taken via a script designed to steal financial information by 'skimming' the payment page before it was submitted.
Reporting to the authority
It is out of question that a data breach which could affect 380.000 customers and their bank card details is a major breach which shall be reported to competent supervisory authority.
As you know, the deadline of the notification is 72 hours after the controller has become aware of the data breach.
It took BA just one day to report the data breach to the Information Commissioner’s Office, the supervisory authority in the UK.
I do not think it needs further explanation that a data breach affecting bank card and credit card details can cause serious harm to the customers, thus they shall be informed about it.
BA, of course, recognized it and took immediate actions to provide information to its customers starting with their press release and publishing a detailed information package on BA’s website. Further, BA promised to contact all affected customers directly which is in line with the recommendations of the European Data Protection Board who interprets the GDPR.
What I really liked about BA’s notification on their webpage is that it was structured in a Q&A format, provided clear information and advised the customers what they should do, eg. contacting their bank or credit card providers.
In my opinion, BA handled the data breach in exemplary fashion, to put it simply, they have made all actions that the GDPR provides in due time.
It is another question if their security measures were sufficient, and whether the data breach could have been prevented or not.
Hopefully you will never experience such a harmful data breach but if you would, I recommend you to remember to the BA’s action plan as a good practice.
LAWFUL DISMISSAL IN HUNGARY - PART II. TERMIANTION BASED ON BEHAVIOUR
Although, considering the current labour market in Hungary, employers are trying to keep the employees at the company, there may be situations where the employment relation cannot be maintained due to behaviour or attitude. In our previous article we explained that a dismissal by the employer is far from a simple move, as the legitimate justification must meet a number of criteria. In the present article, we examine the grounds for termination based on the behaviour of the employee.Read more »
CAN YOU FIRE YOUR EMPLOYEE BECAUSE OF A BLOGPOST IN HUNGARY ? – STRASBOURG RULED
How to balance between the employer’s business interests and the employee’s right to freedom of expression? Can the employer restrict the employee’s freedom of expression and terminate his employment because of a blogpost? The European Court of Human Rights (ECHR) addressed these questions in his fresh judgement brought in the case of a Hungarian applicant. In this short article we summarize the facts of the case and the findings of the Court.Read more »
LAWFUL TERMINATION OF EMPLOYMENT IN HUNGARY – PART ONE: HOW TO JUSTIFY A DISMISSAL?
From salary to vacation leave, an employment relationship can have many sensitive parts. However, labour disputes mostly arise around the termination of the employment by the employer and specifically in connection with the justification of dismissal. Since the fault of the justification will result in unlawful termination, leading to important pecuniary consequences, in our forthcoming article series, we summarise the rules governing employment terminations and the related case-law of the Hungarian courts. In the first part we present the general rules for justifying employee termination.Read more »