GDPR demonstrates power with record breaking fine

by PCI Booking – July 10th, 2019

Last September it emerged that British Airways had suffered a significant data breach which had affected 380,000 of their customers. The impact, both from a brand image perspective and with the data commissioners, has been severe with British Airways being hit with a penalty of £183 million. 

The breach, which took place unnoticed over a 16 day period from August 21st to September 5th 2018, captured both personal information and full payment details (including CVV code).

Hackers breached British Airways infrastructure through pinpointing security vulnerabilities in a baggage claim information page not modified since 2012. By using this unsecured page as a backdoor to access the British Airways site, the cyber criminals placed a script, only 22 lines in total, on the site. This script then transmitted any information entered on the payment page to a server controlled by the hackers. 

Magecard, a group that specializes in identifying and attacking websites that do not have a sufficiently secure payment infrastructure, were identified by security experts as likely responsible for the breach.

What were the implications?

The financial implications, at least in terms of fines, has become clear and demonstrates the true power of GDPR. British Airways’ £183 million fine was a remarkable 367 times larger than the previous largest fine, a (now) mere £500,000 imposed on Facebook over the Cambridge Analytica scandal. Of course, this figure of £183 million does not include the cost IT cost associated with identifying, resolving and preventing a repeat of this breach, nor does it include the cost of compensating customers for any losses experienced – a pledge that was made by British Airways at the time news of the breach became public knowledge. 

Despite all this, the fine could have been worse. Although the penalty imposed on British Airways was hundreds of times larger than previous high-water marks, the fine amount in fact demonstrates a restraint by the GDPR data commissioners. GDPR has an ability to impose fines of up to 4% of annual turnover. This £183 million fine represents 1.5% of British Airways annual turnover. In total, British Airways could have faced fines of over £500 million!

What now for merchants?

Nevertheless, the message from GDPR is very clear: protect your customers data – both payment information and personal information, or else. This data breach has given regulators the opportunity to highlight to all businesses that they mean business. Companies have been warned that they can, and will be, fined for data breaches.

CEO of PCI Booking, data security experts, Eyal Nevo says of the situation for companies on the back of this fine “The regulators have demonstrated to companies the cost of inaction or improper reviews of data flows within the organization. As is evident from the experience of British Airways, all it takes is one system to be missed or overlooked for hackers to have a way in. However, the resources required to find and correct all loopholes, access points and out of date systems is often not financially feasible. 

That’s where services like PCI Booking can help. By outsourcing the capturing, storing and processing of confidential information – both payment and personal – companies now need only review parts of their system and not its entirety. Regardless of the method, it’s now clear that companies must start protecting themselves and the data they manage”.

Oursourcing as a possible solution

PCI Booking, as Nevo describes, enables you to collect payment information from your customers without the card details ever reaching your systems. Captured payment data, be that from embedded secure webpages (a solution which would have prevented this specific breach) or API endpoints that support integration with third party APIs, is first tokenized and masked prior to reaching your infrastructure, effectively creating a PCI compliant shield around your system.

Once captured, stored cards are both accessible to you, but protected and inaccessible to others. As data breaches become ever more frequent and unprecedented in nature, PCI Booking offers unlimited PCI DSS Level 1 storage.

Of course, capturing and storing credit card information is only one part, you will also need to use them. With PCI Booking, you will get instant and immediate access to dozens of payment processors all through a single, unified API endpoint – thus eliminating the need for individual integrations with each payment processor.


Download the Assess Yourself document to help you determine what kind of PCI compliance protection you require, and how you can achieve such results..