Sometimes the cost of lax cybersecurity protocol can be more than just lost productivity and consumer confidence. On Jan 6, 2021, British Airways, one of the largest airlines in Europe, announced that it will begin settlement discussions with customers whose information was stolen during two 2018 data breaches on the company's network. The total price tag of settlements is expected to be almost £3 billion, according to Infosecurity Magazine. The announcement comes after the airline was already fined £20 million by the U.K. Information Commissioner's Office for its failure to take necessary cybersecurity precautions that could have prevented the attack.
Lost personal information
British Airways' legal situation began when two data breaches occurred a mere months apart, in April and July 2018. During the first attack, the personal and financial information of about 185,000 customers was stolen, almost exclusively from the list of reward-booking members. That, however, was only a precursor to the second security breach, where the information of another 380,000 customers was compromised. The July 2018 attack effected customers who used the British Airways website and mobile app. Stolen data included customer names, email accounts and card information, including card numbers, expiration dates, CVV codes and billing addresses. A far smaller group of customers, about 600 people, also had their usernames and passwords stolen, according to CNBC. The company took almost two months to discover that an attack had occurred and alert its customers.
Following the attack, a committee was put in place to handle the deluge of litigation against British Airways stemming from the attack. That committee ultimately tapped the law firm Your Lawyers to handle a consumer action lawsuit against the company. Negotiations between British Airways and Your Lawyers sum have not been set but will likely be held in the early months of 2021.
While the announcement was a big step for harmed consumers, British Airways continued to maintain that choosing to settle did not mean it was fully liable. The company also noted that it's compensation plan would not meet the specific demands of the class action suit brought by Your Lawyers.
"We continue to deny liability in respect of the claims brought arising out of the 2018 cyberattack and are vigorously defending the litigation. We do not recognize the damages figures that Your Lawyers has put forward, and they have not appeared in the claims," the statement read.
Your Lawyers, meanwhile, claimed that the airline's announcement was a sure sign of wrongful conduct and bolstered the firm's full case.
"News that British Airways want to settle compensation claims … is acknowledgement of its wrongdoing in failing to protect customer data," said Your Lawyers director Aman Johal.
An extensive fine
The beginning of the settlement process comes only months after British Airways already had to pay a hefty fine to the British government's Information Commissioner's Office for it's failure to prevent the data breaches. The fine was levied in October 2020, after a two-year investigative process, and totaled £20 million, according to CNBC. The sum is the highest that the office has ever issued.
While the fine was certainly steep, it was also a far cry from what could have been. The Information Commissioner's Office originally announced that it was looking to fine British Airways £183 million. The government agency said it dropped the amount in part because of the impact that the COVID-19 pandemic had had on British Airways, as well as the cybersecurity improvement the company has made since the breaches.
"When organizations take poor decisions around people's personal data, that can have a real impact on people's lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security," said UK Information Commissioner Elizabeth Denham, at the time of the fine announcement.
The vulnerabilities of Java
As more and more work continues to move online, cybersecurity threats are a growing problem for organizations of all sizes. These threats include potential data breaches. In addition to losing you time and money, data breaches, especially of customer information, can undermine consumer trust. As shown by the British Airways attack, companies that improperly guard consumer data and are subsequently attacked can be held liable in court. One of the easiest and most important ways to shore up your network is by getting rid of tools that rely heavily on insecure, open-source Java code.