Generally Disclosing Pretty Rapidly: GDPR strapped a jet engine on hacked British Airways

Analysis If Equifax's mother-of-all-security-disasters last year underlined one thing, it was that big companies think they can weather just about anything cybercriminals – and regulators – can throw at them.

One unpatched web server, 147 million mostly US customer records swiped, and a political beating that should pulverise a company’s reputation for good (“one of the most egregious examples of corporate malfeasance since Enron,” said US Senate Democratic leader Chuck Schumer), and yet Equifax is not only still standing but perhaps even thriving.

While it’s true the full financial consequences yet to unfold, it’s hard not to notice that its shares last week rode back to within spitting distance of where they were before the breach was made public.

It all stands in fascinating contrast to what is happening in the UK and Europe, where the mood over database security breaches is darkening. It’s not that there are necessarily more of them so much as the speed with which they are being revealed.

Last week’s British Airways hack makes an interesting case study, not simply because of the technically embarrassing fact cybercriminals were able to skim up to 380,000 transactions in real time but the speed with which the company owned up to the calamity.

Confessions

According to BA, the attack began at 22.58 BST on August 21, and was stopped at 21:45 BTS on September 5. This meant BA had taken 15 days to notice hackers were grabbing its customers’ card numbers, but under 24 hours to tell the world via Twitter and email – a contender for a world record for computer security breach confessions.

Security analysts RiskIQ have speculated that the same gang was behind June’s Ticketmaster web breach, which took a still fairly rapid five days to surface after being discovered on June 23. Perhaps the best example of how the security breach atmosphere is changing is T-Mobile US, which uncovered miscreants slurping account records of 2.2 million customers on August 20 and revealed that fact only four days later.

Compare this haste to Equifax, which detected its breach on July 29 last year, but only told the world months later on September 7.

Why the sudden hurry? In the case of BA, officially, the answer is Article 33 of Europe's GDPR, under which cyber-break-ins involving personal data must be reported within 72 hours. Security breaches are now understood as having their own lifecycle. At the user end, a recent report from EMW Law LLP found that complaints to the UK's Information Commissioner after May’s GDPR launch reached 6,281, a doubling compared to the same period in 2017.

“This is definitely due to the awareness and the run up to the GDPR,” agreed Falanx Group senior data protection and privacy consultant Lillian Tsang. But there’s more to it than that. “Reporting a breach shows awareness, the notion of “doing” something – even if the breach cannot be mitigated quick enough. It does show pragmatism, rather than a reactive stance of yesteryears.”

Breaches will never become just another battle scar to be marked up to experience – they are too serious and expensive for that no matter what the shareholders think when share prices recover. What is becoming stressful is the speed of disclosure.

“Crisis management is a relatively new yet vitally important area to focus on. As more chief staff realise that it’s a case of when rather than if a breach occurs, it is highly possible that more businesses have a ready-made crisis procedure waiting for a potential strike,” said ESET security specialist, Jake Moore.

As the breaches keep coming however, he believes an example will eventually be made of someone. “The ICO are likely to want to stick the GDPR message to a high-profile company to show its magnitude and therefore companies are ready to show that they are more compliant than ever before.”

It could be that BA’s rapid breach disclosure has set the benchmark at the sort of uncomfortable standard many, including its competitors, will struggle to match. ®