So you’ll likely first be wondering what British Airways (BA) have in common with membership. Can there be a comparison between the two and why is it important for pay attention to the fine BA have just received?
What are the commonalities between BA and Membership?
Aside from the fact that all organisations need to comply with the GDPR, irrespective of industry or sector, the 2018 British Airways data breach of in excess of 400,000 individuals data is reported to have included Executive Club Member data.
What’s unprecedented about the fine?
As outlined in the ICO Enforcement Action post it is the biggest fine issued to date, and despite it being arguable that BA have much bigger budgets to throw at security to protect personal data, they fundamentally failed to implement some basic security measures that wouldn’t have come with a high cost, but would have contributed to potentially mitigating the attack!
What BA failed to implement
Circling back to the point above, the measures that would have avoided the data breach, or at least offered further protection to help mitigate an attack, were not costly to implement. In it’s notice, the ICO highlighted that BA fundamentally failed to:
- Implement appropriate security measures such as two-factor authentication on user accounts, despite it’s Microsoft Operating system(s) having the functionality available
- Not limiting access to systems and data to only those who need it to do their job
- Failing to carry out tests to simulate a cyber-attack (e.g. penetration testing) on the business systems that would have identified weaknesses
In addition to the failure to implement appropriate security measures and controls, BA also failed to detect the attack for more than two months and discovered it when they were alerted by a third party.
Under Principle 6 of the GDPR – Security, integrity and confidentiality – organisations must use appropriate technical and organisational security measures to protect personal data. This not only includes elements listed above, in which BA failed to implement, but also highlights appropriate measures to monitor, detect and record incidents and breaches. Having such measures helps to detect and respond efficiently to potential threats and active attacks.
What are the key learning points?
In the case of BA, personal details, as well as credit card information, of a significant proportion of customers was accessed, which in reality, poses a high risk of theft, fraud and stress for the individuals concerned. Whilst the GDPR clearly defines appropriate security measures that can be deployed, membership organisations must weigh up the level of risk posed to individuals should their data be compromised and implement appropriate levels of security to minimise the chances of it happening, and potentially mitigate against it.
Whilst the chances of traditional membership organisations receiving a fine on this scale is highly unlikely, any financial penalty could have dire consequences for a membership organisation. A fine can have a severe knock on effect for the organisation, but a loss of members resulting from reputational damage and a lack of trust could have longer lasting effects.
What Membership organisations must do
In the current climate, and the rise of phishing emails and cyber attacks since the start of the pandemic, it is not a case of if, but when a breach will occur! Membership organisations must therefore act now to ensure that adequate levels of security are put in place, that they are able to test the cyber defences of their systems and that they are able to monitor, detect and rapidly respond to potential and active threats that could compromise member data. Keeping accurate records of steps taken, and security measures implemented, to protect personal data will help to demonstrate accountability should your organisation suffer a breach and have to demonstrate compliance with the GDPR to the ICO.
LJ Digital & Data Consultancy help Membership, Association, non-profits and charitable organisations to assess their existing operations and capabilities and define robust, digital, data and IT strategies that are aligned with business strategy as well as being fit-for-purpose for the future
Leave A Comment