BA’s 'record' cyber fine just the tip of the iceberg
On Sept. 6, 2018, BA disclosed an attack against its website which compromised the personal data of approximately 500,000 customers. Hackers diverted the user traffic to the British Airways website to a fraudulent site, according to the UK’s Information Commissioner's Office (ICO). Through this false site, attackers harvested customer details which may have been used for fraudulent transactions.
The £183 million fine is set to be the biggest penalty the ICO has ever handed out and is seen as the first test case after the introduction of the General Data Protection Regulation (GDPR) in the UK. The stricter regulatory framework includes fines of up to 4% of annual global turnover, or €20 million – whichever is greater. The ICO’s investigation has found that a variety of information was compromised by poor security arrangements at BA, including log in, payment card, and travel booking details as well as name and address information.
“Costs of data breaches are on the rise partially because of stricter GDPR rules and a growing relevance of data security in society, but also the fact that data breaches are generally becoming more expensive as criminals develop more sophisticated tools,” says Peter Erceg, Senior Vice President, Global Cyber & Technology.
BA has agreed to reimburse customers who suffer "direct financial losses" and to offer "credit rate monitoring".
In addition, SPG Law, the UK arm of US law giant Sanders Phillips Grossman, has launched a group-action against BA claiming that clients affected by the breach could be eligible to compensation of up to £2,000 or more, which could potentially add up to a £500 million bill. The breach has led to all customers being required to monitor financial transactions on their debit/credit cards and potentially cancel/request reissuance of their payment cards, the law firm explains on its website. Clients have a right to compensation under GDPR for non-material damage, the law firm notes.
The compensation for clients, reimbursement for direct financial losses as well as the ICO fine are in addition to the (undisclosed) possible considerable cost of forensics, legal bills, PR costs and any reputational damage.
“As the BA incident is a test case for how regulators and courts will deal with data breaches under GDPR rules it will draw a lot of attention from the media which is likely to further boost PR expenses, reputational damage cost as well as legal bills,” Erceg says.
“While the cost for the ICO fine is unlikely to be covered by cyber insurance, all the other costs can be,” he notes. “A cyber insurance policy can cover the cost from liability claims including any compensation due, business interruption, PR coverage and now also reputational harm. This can substantially reduce the final bill after a data breach,” he says.
In addition to the cyber insurance, companies should regularly test the security of their platforms that store personal data to make sure the protection is always up-to date and includes the most recent patches.
Cybercrime damages worldwide will amount to $6 trillion annually by 2021, up from $3 trillion in 2015, according to the Cybersecurity Almanac by Cisco Security and Cybersecurity Ventures.
Global ransomware damage costs were predicted to exceed $5 billion in 2017, up more than 15X from 2015. Ransomware damages are estimated to cost the world $11.5 billion in 2019, and $20 billion in 2021.
Cyberattacks are dubbed the fastest growing crime in the U.S., and they are increasing in size, sophistication and cost.
The outcome for British Airways could therefore have been worse. The number of clients affected by the breach was low compared to other cases. And the fine issued by the ICO represents just 1.5% of British Airways’ 2017 worldwide turnover, while it could potentially have reached up to 4% of the turnover.
If a cyber incident causes physical damage or business interruption, which insurers will speak up?
Despite recent data breaches, possible fines and compensation claims, companies should not just focus on compliance.
IT may lead on cyber security, but other stakeholders should be in the room.
By Lucy Scott, Senior Vice President, Global Cyber & Technology, Lockton Companies.