BA data breach: a look at the possible ramifications of data theft for insurers

British Airways' significant data breach highlights the increasing scale and frequency of cyber threats faced by insureds, as well as the possible consequences of those breaches for insurers. As one of the first major breaches to occur in the context of GDPR, insureds and insurers will be interested to in the treatment of the breach by the ICO and other bodies.

Following a string of IT-related issues this year, British Airways (BA) has reported that its customers' personal data has been stolen in a significant cybersecurity breach. In addition to being one of the largest data breaches to have occurred in the UK to date, the BA breach is the one of the first major data breaches to have occurred in the context of the updated data protection rules brought in by the the General Data Protection Regulation (GDPR), which came into effect on 25 May 2018.

The breach occurred between 22:58 BST on 21 August and 21:45 BST on 5 September. 380,000 transactions by BA customers are said to have been involved. Thieves obtained the personal and financial details of customers making or changing bookings. The stolen data did not include travel or passport details, BA has said. The attack is thought to have involved credit-card skimming that targeted the BA site directly and was planned around the site’s structure and functionality.

BA will no doubt be considering the responsiveness of its insurance policies to the breach. Events of this nature have the potential to trigger cover in a variety of ways: 

  • First party losses, including the costs of investigating the breach, business interruption and notifying data subjects in accordance with GDPR.
  • Third party liabilities, including compensating customers for financial loss suffered as a result of the breach (and BA has said that it will compensate any customers suffering financial loss). Under GDPR, BA could also be required to compensate affected customers for inconvenience and distress, and prospective class actions pursuing significant damages for distress are reported in the media.
  • Investigations and fines by public bodies. The Information Commissioner’s Office’s (ICO) authority to impose fines, which has been amended by GDPR, may be exercised to impose a significant fine on BA. Along with the recent fining of Equifax, that fine would be amongst the first imposed by the ICO for a major data breach in the context of GDPR and may indicate the approach of the ICO going forward. Investigations by the ICO and other public bodies also have the potential to trigger cover under D&O policies, which we consider in this blog post.

The breach comes in the wake of a range of IT-related issues for the airline this year, including disruption to its schedules in July as a result of failures in its IT systems. Such events shine a light on the vulnerability of business to cyber issues (malicious or otherwise) and airlines will, like other businesses, no doubt be increasingly focussed on the adequacy of their insurance arrangements to respond to such events.

On 17 October, Simmons & Simmons will be hosting an afternoon of seminars concerning the challenges of change in the insurance sector, including the risks and opportunities faced by insureds and their insurers as a result of evolving cyber technologies. To find out more and to sign up for the event, click here.

This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.