British Airways hack could provoke the wrath of the GDPR

A hack of the airline’s system left hundreds of thousands of passengers’ financial information exposed, and a big fine could follow.

The news: Sometime between August 21 and September 5, more than 380,000 customer transactions on the British Airways website were compromised by hackers. The company began notifying those affected yesterday.

The law of the land: The EU’s newly minted General Data Protection Regulation requires that companies take precautions to protect customer data and notify authorities of any breaches within 72 hours.

The penalty: If it’s determined that British Airways didn’t do enough to protect consumer information, it could be facing a fine of up to 4 percent of its annual revenue (that works out to about 500 million pounds). That is a big “if,” though. Even well-protected companies can be hacked, so the mere fact that the data was compromised doesn’t mean the company is at fault. In the meantime, the company’s CEO has promised to compensate any customers financially affected by the hack.

Why it matters: This timing of this hack isn’t great for British Airways. This is one of the first major data breaches since the new regulations went into effect. Regulators may see this as an opportunity to make an example of the company to show they are serious about enforcing GDPR. As Julian Saunders, founder of Port.im, a British software maker that helps companies comply with GDPR, told Bloomberg, “At some point a line needs to be drawn and this might be the best time to do it.”