Section 33 of the GDPR sates we must report a breach within 72 hours. It took British Airways just one day to announce it had been hit by a cyber-attack between 21 August and 5 September. On 6 September, the airline informed its customers that details from around 380,000 booking transactions had been stolen, including bank card numbers, expiry dates and cvv codes.
The data were taken via a script designed to steal financial information by ‘skimming’ the payment page before it was submitted. Despite BA’s quick reporting of the breach, experts think the airline could be hit by a huge fine under the GDPR. Previously, the largest fine issued by the Information Commissioner’s Office (ICO) was £500,000.
But under GDPR, firms can be fined up to 4% of turnover: In BA’s case £500 million. If the airline’s parent group International Airlines Group (IAG) is held accountable instead, the number could be even higher.
And of course, the fines are in addition to any compensation BA needs to pay to customers who might have suffered financial fraud as a result of the breach. But the costs do not end there: BA has been threatened with a £500 million class-action lawsuit in a UK court by law firm SPG Law, the U.K. branch of U.S. law giant Sanders Phillips Grossman.
“The airline has guaranteed that financial losses suffered by customers directly because of the theft of this data from British Airways will be reimbursed, and is recommending that customers contact their bank or card provider if they made a booking or change to their booking between 22:58 BST August 21 2018 and 21:45 BST September 5 2018.”
But SPG Law says that under GDPR, breach victims have a right to further compensation and that BA should compensate victims for the “inconvenience, distress and misuse of their private information” caused by the breach.
Article 82 GDPR states: “Any person who has suffered material or non-material damage as a result of an infringement of this regulation shall have the right to receive compensation from the controller or processor for the damage suffered.”
SPG Law says that it believes that each breach victim may be able to claim up to £1,250 ($1,600), in part because their payment card details were current at the time of the breach.