The GDPR is in effect and being enforced, and yet there are still so many questions as to how the new data protection regulation in the EU is going to influence how businesses approach the securing and processing of personal data of EU residents.
The first companies getting caught being noncompliant or falling victim to data breaches are now being made an example of. How the supervisory authority of the GDPR lays down the law on these businesses will set the precedent of how seriously businesses will take the new regulation.
In this episode of Defrag This, Greg Mooney chats with Chris Payne, Managing Director at Advanced Cyber Solutions in the UK about the effectiveness of the GDPR thus far. They also discuss why the supervisory authority that enforces the GDPR has been so quiet.
A couple months ago, British Airways announced that their website fell victim to a data breach. It turns out that the part of their website that processes credit card info was breached. Over 300,000 customers’ data was exposed. This was because they were using 3rd party scripts on their site.
BA was quick to announce the attack took place and even went as far as putting adverts in newspapers to spread awareness. This is a commendable response by BA and may not trigger an investigation by the supervisory authority. However, it turns out that BA knew for over a year that there might be some vulnerabilities with their systems that they didn't fix. This would indeed spark an investigation under GDPR.
As it turns out, the culprits may have been Magecart, a Russian-related group. Magecart is a malicious code that has been found inserted in popular 3rd party add-ons and scripts used on e-commerce websites. It's a type of supply chain attack.
In any case, this was the first well-known business to fall victim to a massive data breach while the GDPR has been enforced, which means BA may come under scrutiny and face large fines. There is already a civil suit taking place, and each customer of BA that is affected could be seeking compensation of around $1000. This could end up costing BA hundreds of millions of dollars if you consider that over 300,000 customers affected.
How the GDPR responds is yet to be seen, but regardless the civil suits have started. It will be smart for businesses to pay close attention to see whether this turns out to be a slap on the wrist for BA or if noncompliance with the GDPR ends up doing serious damage to a well-known brand.