Generally Disclosing Pretty Rapidly: GDPR strapped a jet engine on hacked British Airways

Suddenly, corps in a rush to fess up to e-break-ins

Analysis If Equifax's mother-of-all-security-disasters last year underlined one thing, it was that big companies think they can weather just about anything cybercriminals – and regulators – can throw at them.

One unpatched web server, 147 million mostly US customer records swiped, and a political beating that should pulverise a company’s reputation for good (“one of the most egregious examples of corporate malfeasance since Enron,” said US Senate Democratic leader Chuck Schumer), and yet Equifax is not only still standing but perhaps even thriving.

While it’s true the full financial consequences yet to unfold, it’s hard not to notice that its shares last week rode back to within spitting distance of where they were before the breach was made public.

It all stands in fascinating contrast to what is happening in the UK and Europe, where the mood over database security breaches is darkening. It’s not that there are necessarily more of them so much as the speed with which they are being revealed.

Last week’s British Airways hack makes an interesting case study, not simply because of the technically embarrassing fact cybercriminals were able to skim up to 380,000 transactions in real time but the speed with which the company owned up to the calamity.


According to BA, the attack began at 22.58 BST on August 21, and was stopped at 21:45 BTS on September 5. This meant BA had taken 15 days to notice hackers were grabbing its customers’ card numbers, but under 24 hours to tell the world via Twitter and email – a contender for a world record for computer security breach confessions.

Security analysts RiskIQ have speculated that the same gang was behind June’s Ticketmaster web breach, which took a still fairly rapid five days to surface after being discovered on June 23. Perhaps the best example of how the security breach atmosphere is changing is T-Mobile US, which uncovered miscreants slurping account records of 2.2 million customers on August 20 and revealed that fact only four days later.

Compare this haste to Equifax, which detected its breach on July 29 last year, but only told the world months later on September 7.

Why the sudden hurry? In the case of BA, officially, the answer is Article 33 of Europe's GDPR, under which cyber-break-ins involving personal data must be reported within 72 hours. Security breaches are now understood as having their own lifecycle. At the user end, a recent report from EMW Law LLP found that complaints to the UK's Information Commissioner after May’s GDPR launch reached 6,281, a doubling compared to the same period in 2017.

British Airways website

British Airways hack: Infosec experts finger third-party scripts on payment pages


“This is definitely due to the awareness and the run up to the GDPR,” agreed Falanx Group senior data protection and privacy consultant Lillian Tsang. But there’s more to it than that. “Reporting a breach shows awareness, the notion of “doing” something – even if the breach cannot be mitigated quick enough. It does show pragmatism, rather than a reactive stance of yesteryears.”

Breaches will never become just another battle scar to be marked up to experience – they are too serious and expensive for that no matter what the shareholders think when share prices recover. What is becoming stressful is the speed of disclosure.

“Crisis management is a relatively new yet vitally important area to focus on. As more chief staff realise that it’s a case of when rather than if a breach occurs, it is highly possible that more businesses have a ready-made crisis procedure waiting for a potential strike,” said ESET security specialist, Jake Moore.

As the breaches keep coming however, he believes an example will eventually be made of someone. “The ICO are likely to want to stick the GDPR message to a high-profile company to show its magnitude and therefore companies are ready to show that they are more compliant than ever before.”

It could be that BA’s rapid breach disclosure has set the benchmark at the sort of uncomfortable standard many, including its competitors, will struggle to match. ®

Narrower topics

Other stories you might like

  • Spain, Austria not convinced location data is personal information
    Privacy group NOYB sues to get telcos to respect GDPR data access rights

    Some authorities in Europe insist that location data is not personal data as defined by the EU's General Data Protection Regulation.

    EU privacy group NOYB (None of your business), set up by privacy warrior Max "Angry Austrian" Schrems, said on Tuesday it appealed a decision of the Spanish Data Protection Authority (AEPD) to support Virgin Telco's refusal to provide the location data it has stored about a customer.

    In Spain, according to NOYB, the government still requires telcos to record the metadata of phone calls, text messages, and cell tower connections, despite Court of Justice (CJEU) decisions that prohibit data retention.

    Continue reading
  • US senators seek ban on sale of health location data
    With Supreme Court set to overturn Roe v Wade, privacy is key

    A group of senators wants to make it illegal for data brokers to sell sensitive location and health information of individuals' medical treatment.

    A bill filed this week by five senators, led by Senator Elizabeth Warren (D-MA), comes in anticipation the Supreme Court's upcoming ruling that could overturn the 49-year-old Roe v. Wade ruling legalizing access to abortion for women in the US.

    The worry is that if the Supreme Court strikes down Roe v. Wade – as is anticipated following the leak in May of a majority draft ruling authored by Justice Samuel Alito – such sensitive data can be used against women.

    Continue reading
  • Xi Jinping himself weighs in on how Big Tech should deploy FinTech
    Beijing also outlines its GovTech vision and gets very excited about data

    China's government has outlined its vision for digital services, expected behavior standards at China's big tech companies, and how China will put data to work everywhere – with president Xi Jinping putting his imprimatur to some of the policies.

    Xi's remarks were made in his role as director of China’s Central Comprehensively Deepening Reforms Commission, which met earlier this week. The subsequent communiqué states that at the meeting Xi called for "financial technology platform enterprises to return to their core business" and "support platform enterprises in playing a bigger role in serving the real economy and smoothing positive interplay between domestic and international economic flows."

    The remarks outline an attempt to balance Big Tech's desire to create disruptive financial products that challenge monopolies, against efforts to ensure that only licensed and regulated entities offer financial services.

    Continue reading

Biting the hand that feeds IT © 1998–2022