Behind the Headlines: Lessons from BA’s $237 million data-breach fine

Behind the Headlines: Lessons from BA’s $237 million data-breach fine

Thursday, February 20, 2020
David Welsh

Last summer, just over a year after the introduction of GDPR, British Airways was issued with a record-setting $237 million fine for failing to protect its customers’ personal data. But when BA’s appeal period came to an end in January 2020, the UK’s Information Commissioner’s Office (ICO) delayed its final decision for several more months.

What’s going on here? Are regulators unwilling to punish companies that play fast and loose with personal data? Should marketers quake at the prospect of gigantic fines, or should they breathe easy knowing that enforcement will be patchy at best?

What the hack happened?

Make no mistake: BA didn’t willingly hand over confidential information to hackers. In fact, its website hadn’t actually been compromised—its ecommerce vendor had. We now know that stringent, real-time tag tracking on BA’s part would have stopped the scheme before it even started… but that’s not what happened. Here’s how it went down:

  • When the BA site dynamically called in the ecommerce vendor’s code via JavaScript, the vendor’s code itself called more code—which had been hacked
  • The malicious code looked legitimate; in fact, it took three months to detect
  • Hackers stole credit card and other sensitive information from an estimated 429,000 customers during this time

This landmark case is complex, multi-layered, and there’s little doubt that hidden tags and code are difficult to diagnose. Nevertheless, website owners are ultimately responsible for end-user protection. British Airways is entirely liable for the breach that occurred via its site, even if it wasn’t directly culpable.

Privacy requires governance

Although the ICO is demurring for now, there are valuable lessons to be learned. Countless martech solutions are loaded from remote servers via JavaScript, such as Google Analytics, DoubleClick, and various retargeting engines. The problem is that large brands are failing to exercise their own technology governance and supervision, putting consumers at risk.

Developing programming working in a software engineers code tech applications on desk in office room.

That risk—real and perceived—is the driving force behind a sea change in data privacy, including the inevitable prospect of digital advertising in a cookie-less future. Users are taking control of their data by turning to privacy protection tech (now built into Chrome, Safari, and Firefox), incognito browsing, VPNs, and more. The only way advertisers can win back these hearts and minds is to re-establish their trust.

Take the high road

At a tactical level, marketing decision-makers have to work hand-in-hand with web developers and data analysts to not only deploy the right tech but manage its ongoing usage, including monitoring hidden third-party tags in real time. But most of the hard work ahead is strategic rather than tactical.

In order to respect privacy in the digital age, brands have to do better than pop-up check boxes and empty platitudes about compliance. Privacy has to be built into the customer experience as people begin to understand their data, take greater control of it, and welcome more privacy-focused consumer legislation like the California Consumer Privacy Act—coming into effect on July 1 this year.

It remains to be seen whether or not British Airways actually has to pay its eye-watering $237 million fine (compared to Facebook’s paltry $647,000 pre-GDPR fine for the Cambridge Analytica affair). Either way, its reputation has suffered lasting damage: this is a landmark data breach scandal that will not go quietly into the night sky.

Fortunately, brands that play by the rules—and, more importantly, really mean it—can expect minimal turbulence ahead as they plot a course into a privacy-first digital future. Want to know how? We’ve already laid the groundwork, so let’s talk.

GET IN TOUCH