Corporate Governance and Accountability: BA Data Breach Analysis

Verified

Added on  2023/06/03

|11
|2671
|95
Report
AI Summary
This report provides an in-depth analysis of the British Airways data breach, examining the incident's context, the nature of the breach affecting approximately 380,000 customers, and the company's response. The report highlights the failures in corporate governance that allowed the breach to occur, focusing on the lack of adequate data protection measures. It explores the risks and consequences faced by British Airways, including potential damages, class action lawsuits, and significant penalties from regulatory bodies such as the ICO, as well as the loss of goodwill and customer trust. The analysis references relevant legislation, such as the Data Protection Act 2018 and GDPR, to assess the legal and ethical implications of the breach. The report concludes by emphasizing the negative impacts of the data breach on the company's financial and non-financial aspects, underscoring the importance of robust data security practices and effective corporate governance to prevent future incidents.
Document Page
CORPORATE GOVERNANCE and AccountabilIty
Student’s Name
10/29/2018
tabler-icon-diamond-filled.svg

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
Corporate governance and accountability 1
Contents
Introduction......................................................................................................................................2
Background/Description of the company........................................................................................2
The Breach.......................................................................................................................................3
Risk and consequences....................................................................................................................5
Conclusion.......................................................................................................................................8
References........................................................................................................................................8
Document Page
Corporate governance and accountability 2
Introduction
For every organization, ethics is a basic conduct to do. Corporate governance and accountability
is just another concept that is closely connected with ethics, The subject of corporate governance
demands an organization to act in a responsible manner towards all of it is stakeholders. The
current corporate world is much depended on technology and hence in such a scenario, it
becomes the social responsibility of every corporation to keep the data of their customers secure
in every way possible. Every nation has different laws and legislation to deal with the issue of
data breaches. For instance, the European government has introduced the General Data
Protection Regulation (GDPR), 2016/679 in the area of security data breach and protection. This
assignment is mainly focused on the issue of a serious data breach. The study of the topic is very
significant to understand the consequences of such events for the corporation as well as affected
stakeholders. The same is also important for the reason that events of data breach lead a failure to
corporate governance of a company. In the given assignment, a company will be selected an
reviewed in respect to data breach issue and at last the possible consequences on the company of
such breach will be discussed.
Background/Description of the company
The company chosen for this research assignment is British Airways that recently has been
reported a failure in the protection of personal data of it is customers. As the name of the
company implies itself, the same is engaged in the business of flag carrier. This company is the
largest airline company in the UK on the basis of fleet size and second largest airline of UK
when it comes to passengers carried (Plunkett, 2008). The company has established in the year
Document Page
Corporate governance and accountability 3
1974 after the establishment of British airway Board by British Government. A company named
BA CityFlyer is the wholly owned subsidiary company of British Airways (Lashley and
Morrison, 2007). The company remains engaged in the performance of loyalty programs. British
Airways provides many of the facilities to its customers such as short haul, Mid haul, and long
haul. In addition to this, different kinds of cabins are also available for the customers from the
side of British Airways (hereinafter referred to as BA).
It is no wonder in stating that many of the incidents and accidents have happened with BA. For
example, in the year 2008, one of its flights suffered from a crash land issue (Simpson, 2014).
Further, recently in the year 2018, an attack on the website of the company has been reported. In
the discussion below, the detailed information regarding this cyber-attack is mentioned.
The Breach
A statement has come out from the side of British Airways that people who made a booking of
flight tickets with BA between a specific period i.e.21 August 2018 to 5th September 2018 can
suffer from an issue of data Breach (Whittaker, 2018). The company has not informed much
about the issue. It is not a general data breach but the same affected around 380000 customers.
Their personal data has been stolen. After a detailed study of this data breach case, experts have
stated that data of such customers probably would be available on the internet for the sale soon.
It was a clear breach of corporate governance. Although BA has not done anything with a wrong
intention, yet the company failed to protect the data of customers. The cybersecurity officer
assumed that personal data of the customers of BA such as details of credit cards, CVV written
on the same and contact number might already exist there on the dark web. Dark web is a term
that commonly refers to a corner of the internet that can only be accessed with the help of some
tabler-icon-diamond-filled.svg

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
Corporate governance and accountability 4
software, that are developed with the intention of data breaches mainly (Vilches ,2017). Paul
Lipman, chief executive of cybersecurity company Bullguard also said that the credit data was
almost prepared for the movement of the dark web.
The data of 380000 customers fallen into danger overnight (Thehindubusinessline.com, 2018).
BA made a statement that the data has not been stolen while the encryption but the hackers used
some more powerful and very sophisticated techniques and methods. In the investigation
process, cybersecurity experts said that as CVV of the card was also involved in the stolen data,
it is clear that hackers have stolen the data at the time when the customer was filling their
information on the website and not the later on from the database of the company. A
cybersecurity expert and head of research Simon Migliano, provided an estimation of the cost of
stolen data and stated that it could worth of £21.5m in total (theguardian.com, 2018). This was a
very significant amount.
Moving towards the security law of the nation, this is to be stated that section 2 of the Data
Protection Act 2018 that one should process personal data of individuals carefully, fairly and
lawfully. Section 3 (2) of the act provides a definition of data (Legislation.gov.uk, 2018). The act
provides the manner in which personal data of individuals should be processed and provides that
what activities, one should not adhere while dealing with the personal data of others. Here, in the
subjective case, BA breached certain provisions of this act as the same failed to secure the data
of customers, irrespective of the fact that it was not on a fault. Most of the provisions of current
data security act are similar to GDPR (Local.gov.uk, 2018). As company breached the provisions
of the subjective act, this can be stated that the same also failed to provide security to the data of
its customers under GDPR.
Document Page
Corporate governance and accountability 5
Risk and consequences
Whenever a company fails to comply with the regulations of privacy or data protection law,
many adverse consequences come across. At the first instance it seems like that the only affected
people are those whose data was stolen, but after a details study of such issues, one can get to
know that a company also suffers from many losses, whenever same fails to provide security to
the personal data of customers and other stakeholders. In the studied case also, British Airways
faced many risks and adverse consequences after the incident of a data breach. These risks and
consequences are mentioned as below.
1. Damages: - Damages is the compensation amount that a guilty party has to give to victim
party in a case for the harm and damage caused to him/her by the act of the guilty party.
Article 82 of GDPR states that a person who suffers from non-material or material
damage because of infringement or breach of this regulation has right to ask for the
compensation from processor or controller for the suffered damage (Lambert, 2016). This
article further says that a controller will be held liable and responsible where he/she
breach any of the instruction provided to him/her under this regulations.
British Airlines made a promise that no customer will face out of pocket expenses cause
of this cyber-crime incident. However, BA has not made any comment on the lawsuits
but commented on the direct losses suffered by the customers. BA stated that the
company would reimburse every direct loss that the customers faced because of data
breach incident. BA also recommended that the customers who have their bookings
during the period 2:58 BST August 21, 2018, and 21:45 BST September 5, 2018, can
contact their card providers or banks to check out the balance details. These were direct
damages that BA got ready to pay the victim parties. Nevertheless, what about the
Document Page
Corporate governance and accountability 6
indirect losses and damages? Special Protection Group (SPG) law said that BA is also
responsible to pay the indirect damages to victims as they have suffered from mental
stress and inconveniences because of data breach incident (Theweek.co.uk, 2018). SPG
law made a reference of article 82 of GDPR and said that even law provided damages for
the non-material breaches. It is a risk that BA can face in future because SPG Law stated
that the same will bring a collective claim for the non-material damages on behalf of
multiple victims.
It means BA is at a risk to pay the material as well as non-material damages to victims
that will affect the financial condition of the company in the future.
2. Class actions: - Apart from the damages, class actions is another threat to BA that this
company can face in the future. A class action is a kind of a joint suit that many people
from one specific class bring against the guilty person. In an organization, many of the
stakeholders are there that can bring a collective class action for a wrongful conduct. In
this case, BA can face a class action form the group of it is customers who have suffered
from the issue of a private data breach. Further, BA has been threatened that a class
action lawsuit will be initiated against the company in the UK court which will lead an
addition cost worth £500 million to the company (Schwartz, 2018).
3. Penalties:- Damages are the amount which a guilty party has to pay the victim parties,
but penalties are the fines that a person has to pay to court and authority for the breach of
provisions of a law. Regulators stated that they are making inquiries against BA. Many
other regulators such as the Information Commissioner’s Office (ICO), the National
Cyber Security Centre, and UK's National Crime Agency are making this inquiry. The
subjective breach has been reported after the introduction of the new privacy law of the
tabler-icon-diamond-filled.svg

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
Corporate governance and accountability 7
nation. Data Protection Act includes the provisions of GDPR and BA can be held liable
for the breach of the same.
If it happens, the company would have to pay a penalty of either 4% of global turnover or
£17 million, whichever is greater. In the last December, the company has achieved a
turnover worth £12.2 billion, and hence in this manner, a company can face a fine worth
£500 million (Irishexaminer.com, 2018).
4. Loss of Goodwill: - Goodwill of an organization is a valuable asset that an organization
develops over a long period. Before the data breach incident, this company has a high
goodwill in the eyes of customers but now trust of its customers fallen down. They now
think that their personal information is not secured with the company. After the discussed
incident, many of the affected customers twitted to BA and shown their anger and
dissatisfaction with the services of the company. In addition to this, the authority under
Document Page
Corporate governance and accountability 8
GDPR sent a mail to BA stated that the company needs to be more careful in future while
dealing with the private data of customers. This shows that from regulators to customers,
all ate not sure about the safety measure taking by BA.
Conclusion
To conclude the issue, this is to be stated that data breach incident brought and expected to bring
many negative results to the company. It was a serious breach and affected almost 400000
valuable customers. Irrespective of the fact that the company was not guilty in actual, it led out
an issue of breach of corporate governance. The case cannot be treated as an ethical breach as the
company has not done anything with a wrongful intention and apologized to the public for the
happening of the incident. After analyzing the whole issue, this is to say that the company can
face many of the issues in the coming future including the financial as well as non-financial
losses. New privacy law regulations are very new in the area and British Airways can be held
liable under the same. Now, the company is required to be more concern and care and to notify
the authority within 72 hours of data breach incident according to the provisions of GDPR. In
addition to this, the company needs to understand that how valuable the data of customers are
and therefore is advised to comply with the provisions of GDPR.
Document Page
Corporate governance and accountability 9
References
Irishexaminer.com. (2018) British Airways could face £500m fine as regulators probe data
breach. [online] Available from: https://www.irishexaminer.com/breakingnews/business/british-
airways-could-face-500m-fine-as-regulators-probe-data-breach-867441.html [Accessed on
30/10/2018]
Lambert, P., (2016) The Data Protection Officer: Profession, Rules, and Role. New York : CRC
Press.
Lashley, C., and Morrison, A.(2007) Franchising Hospitality Services. Oxon: Routledge.
Legislation.gov.uk. (2018) Data Protection Act 2018. [online] Available from:
http://www.legislation.gov.uk/ukpga/2018/12/pdfs/ukpga_20180012_en.pdf [Accessed on
30/10/2018]
Local.gov.uk. (2018) General Data Protection Regulation (GDPR). [online] Available from:
https://www.local.gov.uk/our-support/general-data-protection-regulation-gdpr [Accessed on
29/10/2018]
Plunkett, J., W. (2008) Plunkett's Airline, Hotel & Travel Industry Almanac 2009: Airline, Hotel
& Travel Industry Market Research, Statistics, Trends & Leading Companies. Plunkett
Research, Ltd.
Schwartz, M., J. (2018) British Airways Faces Class-Action Lawsuit Over Data Breach. [online]
Available from: https://www.bankinfosecurity.com/british-airways-faces-class-action-lawsuit-
over-data-breach-a-11478 [Accessed on 30/10/2018]
tabler-icon-diamond-filled.svg

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
Corporate governance and accountability 10
Simpson, P., (2014) The Mammoth Book of Air Disasters and Near Misses. UK: Hachette UK.
theguardian.com. (2018) BA customers' credit card details 'probably already for sale'. [online]
Available from: https://www.theguardian.com/business/2018/sep/07/ba-british-airways-
customers-hacked-credit-card-details-dark-web [Accessed on 29/10/2018]
Thehindubusinessline.com. (2018) British Airways web site suffers data breach. [online]
Available from: https://www.thehindubusinessline.com/economy/logistics/british-airways-web-
site-suffers-data-breach-380000-payments-affected/article24890064.ece [Accessed on
29/10/2018]
Theweek.co.uk. (2018) British Airways data breach: customers entitled to ‘distress’
compensation. [online] Available from: http://www.theweek.co.uk/96327/british-airways-data-
breach-how-to-check-if-you-re-affected [Accessed on 29/10/2018]
Vilches, J. (2017) The Dark Web: What Is It and How To Access It [online] Available from:
https://www.techspot.com/article/1177-dark-web/ [Accessed on 30/10/2018]
Whittaker, Z. (2018). British Airways customer data stolen in data breach. [online] Available from:
https://techcrunch.com/2018/09/06/british-airways-customer-data-stolen-in-data-breach/
[Accessed on 29/10/2018]
chevron_up_icon
1 out of 11
circle_padding
hide_on_mobile
zoom_out_icon
[object Object]