By Todd Fitzgibbon
British Airways is the latest company to be hit with a cyberattack. Between August 21 and September 5, information relating to around 380,000 booking transactions had been stolen—including everything from customer names to credit card information.
Of course, cyberattacks like this one aren’t anything new. In fact, this data breach is similar to the Equifax incident that happened in Fall 2017.
However, there is one major difference— the Equifax breach occurred prior to the effective enforcement date of the General Data Protection Regulation (GDPR).
When hackers got hold of 143 million Equifax customers’ information, the company was hit with a £500,000 fine (or about $658,500). While this is no cheap mistake, had the breach happened just 365 days later, that fine could have been up to 200 percent more expensive.
It’s hard to define a data breach affecting 143 million consumers as “lucky,” but Equifax could have faced much more severe consequences had their breach happened in a post-GDPR world. Unfortunately for British Airways, the timing of their data breach could cost them big.
How the Equifax Data Breach Happened
Between mid-May and late-July, over 143 million names, social security numbers, birth dates and more were pulled from two Equifax datasets: the Equifax Identity Verifier Dataset and the Global Consumer Services Dataset. Each had their own set of data protection problems.
First, the Equifax Identity Verifier (EIV) data originally hosted U.K. users’ data in the U.S. In 2016, the product was moved to the U.K. At this point, all U.K. data should have been deleted from the U.S. system. Unfortunately, it was never properly removed.
Second, the Global Consumer Services failed to follow its own cryptographic standards. Rather than securing passwords in an encrypted or tokenized form, they were stored in plaintext. This left users’ account email addresses, passwords, secret questions, credit card numbers and more unprotected.
Ultimately, the breach violated five data protection principles. Equifax was slapped with a £500,000 fine – the maximum under U.K. law before GDPR.
But the consequences of the breach go deeper than just lost cash. The breach has also brought consistent bad publicity to the Equifax brand, making it difficult for customers to feel like they can trust the company.
How the Breach Could Have Been Avoided
The Equifax breach, in part, could have been avoided with the right systems in place. Here’s how:
- Asset Inventory and Classification: Had Equifax properly inventoried, classified and assessed their EIV systems, they would have known the type of data being stored and applied the appropriate retention/destruction policy controls prior to relocation. With proper asset inventory and classification, you better understand what data you have, where it is located, and the impact that a breach of that information can have.
- Process Documentation: Simply creating standards isn’t enough to properly protect data. Had Equifax followed their own encryption processes, their Global Consumer Services dataset may not have been leaked. By documenting processes, you and your team will know just what you need to do, how to do it, and when it needs to be done.
- Control Testing: If Equifax had consistently tested their systems, processes and standards, they could have discovered their risk before any data was breached. By performing regular control tests and audits, you can find opportunities to proactively improve your risk exposure.
GDPR Fines 2018 & The Future of British Airways
The investigation into British Airways’ data breach is still ongoing, so it’s too early to say what GDPR fines they may be hit with. However, they could face up to £488 million in penalties under GDPR. This is in addition to the £500 million class-action lawsuit from U.K. law firm SPG Law, and potential other damages suffered by breach victims.
Because British Airways did alert the public of the breach within the 72-hour window mandated for GDPR compliance, the investigation will look into other potential standard infringements. British Airways must be able to prove they had defined risk management processes in place and that those practices were properly followed.
If the investigation finds that British Airways was negligent or careless in protecting consumer privacy, they are sure to become the poster child for GDPR corporate compliance.
How Rsam Can Help
Non-compliance with GDPR can cause a serious blow to not only your company’s bottom line, but also your reputation. With Rsam’s GDPR Module, you can assess your organization’s readiness for GDPR compliance requirements and create a GDPR compliance plan.
Rsam equips organizations with the technology they need to capture, assess and remediate the elements important to their risk management strategy. The Rsam platform provides real-time insights, context of interdependencies, processing automation and resiliency in a centralized environment that provides regulators an easily identifiable audit trail, if and when necessary.