Undoubtedly, the provisional British Airways GDPR fine in the sum of £183m, and the group action that could lead to an estimated cost of £3bn, were both avoidable.
All that was needed was for the airline to have had proper cybersecurity measures in place that could have prevented the 2018 cyber-attacks. Given what we know, and the fact that the Information Commissioner’s Office (ICO) has deemed it necessary to issue a fine, this whole scandal could have been avoided.
The fact that the attacks were successful is another example of big corporations being reactive as opposed to proactive. The costs of the fine and the litigation will no doubt serve as clear punishment for the fact that vital data protection laws have been breached. But make no mistake about it, this could have been prevented.
British Airways GDPR fine and litigation avoidable
It appears that it wouldn’t have taken much for the British Airways GDPR fine to have been avoided, and the subsequent need for victims to claim data breach compensation to have also been prevented.
In fact, researchers from HackerOne have reportedly put the estimated cost of a bug bounty that could have identified the vulnerabilities that led to the breach at less than £10,000.00. When you put this into context, you can see how crazy it is that a company as big as BA has allowed this to happen:
- Bug bounty estimate: less than £10,000.00; or
- ICO fine of £183m and estimated pay-outs for claims: £3bn.
BA could have literally saved themselves billions of pounds by paying a relatively small change amount to have identified their vulnerabilities with a bug bounty. It’s also understood that the Ticketmaster, TalkTalk and Carphone Warehouse breaches could also have been avoided in the same way.
Big corporations must be proactive!
If the costs of the British Airways GDPR fine and the compensation pay-outs vs the comparably tiny fee of a bug bounty doesn’t change attitudes, I don’t know what will.
The BA data breach is a clear example of how it pays to be proactive instead of reactive. It’s no good sorting out your cybersecurity after you’re having to pay billions in fines and compensation pay-outs.
If it all could have been avoided in the first place, why wasn’t it?
Huge data breaches that date back years, like the TalkTalk and Equifax ones, ought to have been warnings to other big businesses that there are targets on their backs. The introduction of GDPR, where huge fines can be levied, should also serve as a clear warning that compliance with data protection laws is a must. Yet despite these events, the BA data breach still took place, and in its wake is a bill that could be in the billions, and almost half a million people who have suffered data exposure.
Difference between the British Airways GDPR fine and the group action
The money from the British Airways GDPR fine isn’t designed to be used as compensation. That’s why we have our own No Win, No Fee data breach group action being pursued as well.
The litigation is designed to make sure that the victims who have suffered distress and / or financial loss see the justice that they deserve. We pursue this as a separate matter to any regularity penalty, and the formal GLO (Group Litigation Order) is up and running.
To join the BA Group Action, go to the website here and check you eligibility. You can then sign-up if you’re able to do so as well.