A guest blog post by Paul Carlin from South Eastern Health and Social Care Trust
The news broke yesterday of British Airways being fined £183 Million for the theft of 380000 customers personal data. This occurred between 22:58 BST August 21st 2018 and 21:45 BST September 5th 2018 from the BA website, ba.com, and the BA mobile app. The breach lasted for approximately two weeks and revealed user’s details to hackers that risked exposing the owners to potentially significant personal financial impact.
In 2016 it was reported that there was on average 1000 cyber-attacks targeted on airlines per month, as of 2018 this figure had grown by 15000% (that’s not a typo), and as such these companies were and are well aware of the potential risk that their portals of interaction face daily. BA’s defence against the judgement seems to rest on the premise that they have no knowledge of any financial malfeasance that has resulted from the breach and appears to be appealing the decision on that basis. It’s an interesting approach as the Data Protection Act 2018, reflects the GDPR in defining a
“personal data breach” in Article 4(12) as: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”
Clearly the GDPR is saying that this shouldn’t happen in the first place.
Is this approach appropriate and proportionate?
One could argue, as BA appear to be doing, that as no real harm has been done, apart from some members of the public having to change their credit cards, then all’s well and business as usual.
But this approach actually misses the point. MIDAS from its inception took an approach that data management and governance were central to how any system would and should be used. Yes MIDAS as a portal exists within a very controlled and specific context, BA’s system are vast public facing systems, thus perhaps more open to attack and thus increased risk? Yet MIDAS will draw on significantly more highly personal data, from heterogeneous sources, albeit suitably anonymised for the work that the platform exists to perform, but risk remains and the purpose and function of the various partners, technical, academic and ethical is to try in as far as possible, to limit and mitigate these inherent risk.
Data use by its very nature is risky, and will become ever more risky as technology, volume and quality improve (Wall Street Journal, 2018). Whilst MIDAS touches on these domains, the team take seriously the potential threats both internally and externally, thus the identification of Good Practice as a core output of the overall project.
In the case of BA, the penalty may seem harsh, although this is actually on the lower tier of punishment available to ICO, yet this issue should be taken seriously by all industries, be that researchers or companies hoping to exploit, for whatever reason the power and potential of personal data, either as at an individual level or as a population/ large scale asset.