BA's confirmation last week that hackers had accessed customer data by breaching its website and mobile app security has brought a host of unwelcome media attention on the airline and set off a flurry of pointing fingers and blame articles, with many BA users demanding compensation and apologies. In today's world where social media has an increasingly powerful voice and reach, the concept of bad luck appears to have been replaced by the need to hold someone accountable and the extraordinary belief that those responsible should be able to respond at lightning speed.
Some are speculating that the airline will face a hefty fine from the Information Commissioner as it begins to flex its General Data Protection Regulation (GDPR) muscles: under the new regulation, BA could be liable for a fine of up to €10,000,000 or 2% of the total worldwide annual turnover of the preceding financial year. It can be noted that in accordance with the new EU privacy rules, BA notified the UK data protection authority (as confirmed here by the Information Commissioner's Office ('ICO')) and the affected individuals.
As an Operator of Essential Services (OES), however, BA is also obliged to comply with the requirements of the Network and Information Systems Regulations 2018 (NISR), which came into force on 9 May this year and has been designed to improve cyber resilience across the operators of critical national infrastructure, amongst others. The principal requirements on OESs, such as BA, is that they must be able to demonstrate that, firstly, they have taken appropriate and proportionate technical and organisational measures to manage the risks posed to the security of their network and information systems; and, secondly, that they have such measures in place to prevent and minimise the impact of such an incident. The ultimate financial sanction for getting it wrong in respect of an incident resulting in an immediate threat to life or significant adverse impact on the UK economy is set at £17m.
What exactly do we know about the attack on BA's systems? The airline has stated that it suffered a 'sophisiticated' cyber-attack that clearly penetrated their defences and that sensitive personal details of a number of BA users had been accessed. Before we rush to calculate potential fines or fire off the demands for compensation, we may first need to consider the core question, which is: did BA do anything wrong? A successful cyber-attack hack does not always mean the victim had not taken appropriate and proportionate measures. Many cyber-attacks succeed in penetrating entirely prudent, sophisticated business entities who can readily demonstrate they have world class cyber security and resilience measures in place. The fact that an attack succeeds does not and should not automatically equate to responsibility.
It remains to be seen how the incident will be investigated and what the outcome of those investigations will show. Due to the overlap of the two sets of regulations, and as experienced with other sector specific regulations (e.g. Financial Conduct Authority and ICO investigating in parallel common breaches affecting financial institutions), we are likely to see (i) an investigation led by the Information Commissioner under the GDPR and (ii) another one led by the Secretary of State for Transport and the Civil Aviation Authority under the NISR.
Regrettably, cyber crime is an everyday event and a side effect of the glorious connected world we live in. The reality is that people and businesses fall victim of cybercrime daily and many of those who do will have had cyber defences in place that are as good as their peers. Only time – and some thorough investigation - will tell whether BA’s cyber defences and resilience were to airline industry standard or not.