Flat Preloader Icon

British Airways: A Breach Too Far?

January 2021 has not been a great time for British Airways, and not just because of the ongoing impact of the global pandemic on the airline industry.  Something damaging their reputation is afoot and it goes by the name ‘BAdataBreach.com’.

A law firm has taken out a 40 second television advert, devoted solely to the BA data breach of 2018.   They are looking to target the 400,000 people potentially affected by the breach and seek to represent them in a class action lawsuit against British Airways.  They pull no punches with the advert and BA’s reputation is mere collateral damage in their campaign.

There’s an urgency about the advert.  “Hurry” they say. “You could be entitled to significant compensation”. There’s “limited time” to join the suit.  The music is eerie and BA is presented as a company that can’t be “trusted” with your personal data.  The effect is a reputational hatchet job and a boon to BA’s rivals.

In October 2020, two years after the data breach, Information Commissioner Elizabeth Denham announced that British Airways was being fined £20 million, the largest ICO fine to date. This was because BA had processed a significant amount of personal data without adequate security measures in place. This failure broke data protection law and the subsequent cyber-attack went undetected by BA for more than two months.

The BA breach of 2018 certainly is old news, but because of a tv campaign happening in 2021, BA’s past failings regarding poor data security is being hammered home again, and to a new audience.

When organisations make bad decisions regarding personal data, that can have a real impact on people’s lives. The law now provides the tools to encourage businesses to make better decisions about data.

Data protection is vital to reducing the risk of data breaches, and meeting the expectation of customers, regulators and public alike.

It is recommended that organisations:

  • Limit access to applications, data and tools to only that which are required to fulfil a user’s role.
  • Undertake rigorous testing, in the form of simulating a cyber-attack on the business’ systems.
  • Protect employee and third party accounts with multi-factor authentication.
  • Invest in up-to-date security.

For more information on how Southwood can help you to avoid reputational damage by complying with data protection legislation and associated data privacy services, please contact [email protected]

Written by James Okoro, CIPM, FIP, CIPP/E, LL.B, Barrister – Director, Southwood Management Solutions

Share this:
Scroll to top