OPINION: BA GDPR fine should be a tipping point event for airlines and GHs

posted on 17th July 2019 by Justin Burns
OPINION: BA GDPR fine should be a tipping point event for airlines and GHs

The British Airways GDPR fine should be a tipping point event for airlines and ground handlers, writes Transputec, head of cyber security Sonny Sehgal (pictured below).

British Airways has just been told by the Information Commissioners Office that they face the prospect of a record fine for breach of GDPR rules. This follows multiple warnings from the ICO that organisations are now liable to potentially massive fines, up to four per cent of their turnover, as a result of the new EU data protection rules that came into force in March 2019.

This entirely predictable development should serve as a warning and a tipping point event for both core airline companies and their entire supply chains. A fine of £183 million would be an extinction event for most commercial companies and it could have even worse, as the penalty for BA is only 1.5 per cent of their turnover, not the maximum four per cent.

It was always likely that the ICO would look to make an example of some high-profile offenders and BA seems to have fallen into that category. The previous highest fine issued by the ICO was the £500,00 levied against both Facebook and TalkTalk. This was the maximum fine under the old legislation, but the stakes are much higher now.

So, what can the air sector do to learn very quickly from what has happened to BA and make sure that they are not the next ones to be made an example of?

  • The first thing that airlines should do is to take cyber security and data protection much more seriously. Airlines hold much sensitive personal information on their customers, not only contact and payment details, but also passport numbers and other personal identity data.
  • Airlines supply chains are not exempt from this injunctive. General sales agents, ground handlers and others all exchange sensitive personal information with airlines and they too need to escalate responsibility for cyber security and GDPR compliance to board level.
  • Under data processing agreements, many of these outsourced supply chain companies will hold some data processing accountability and they will not be able to evade responsibility and subsequent fines if something goes wrong.
  • There are many routes into the systems of a global industry like the air sector and the corporate security perimeter can extend to hundreds of outsourced roles in far flung places with less security than in the headquarters country. The weakest link in the chain is always likely to be human operators and human error.
  • With the number of cyber attacks multiplying every year it is impossible to stop them getting through all of the time. This means that the point of response needs to switch from prevention to detection.
  • To protect themselves effectively against cyber-attack, airlines, general sales agents and ground handling companies need to have in place an effective AI behavioural monitoring solution like ThreatSpike, that will build up a picture of activity and identify suspicious activity across the entire network.

It is impossible to stop all data breaches, and the ICO is well aware of this. If BA had been able to spot the breach with a few days through the use of a monitoring solution and had taken immediate mitigating action to inform all those who needed to know, then the ICO fine would have been massively reduced and possibly even avoided altogether.

The ICO has signalled that it means business, airlines and their suppliers need to make sure that they are ready to respond immediately if they are the next one to be hit by the hackers.

Visit www.transputec.com for more information.