BA hacking leaves airline open to fines under tough data rules

British Airways may become the first high-profile company to face Europe's far-reaching data privacy rules that come with potential fines after a computer hack compromised credit card data from some 380,000 customers. The European Union's General Data Protection Regulation, or GDPR, which took effect on May 25, mandates that companies have to take technical precautions such as encryption to ensure customer data is protected. It also states that firms must notify authorities about breaches within 72 hours after learning about them.

Violations may lead to fines of as much as 4% of a company's annual sales, which for BA could reach about £489mil based on 2017 figures. “This looks like a classical data breach,” Konrad Meier, a specialist on data privacy laws at EY in Zurich, said in an interview. “The authorities will now want to understand how and why this happened in order to determine whether it could have been prevented.”

Should regulators conclude that BA failed to take measures to prevent the incident, “a fine may follow”, he said. The carrier, which is owned by International Consolidated Airlines Group SA, said in an email that its main concern “is to take care of the customers that may have been affected”.

The hack at BA lasted for more than two weeks, with intruders making away with account numbers and personal information of customers making reservations from the carrier's website and mobile app.

Chief executive officer Alex Cruz on Thursday apologised to clients in a letter and urged them to contact their bank or credit card provider. BA and IAG are likely to be liable for consequent losses, but probably have insurance in place to cover such expenses, RBC Capital Markets analysts including Damian Brewer said in a note.

Still, the incident risks hurting the airline's reputation, especially because the company has suffered other IT failures, they said. A data breach doesn't necessarily mean a company is at fault, EY's Meier cautioned, as “even best-practice security standards can be hacked”.

A spokeswoman for the EU's information commissioner said BA “has made us aware of the incident and we are making enquiries”. – Bloomberg