Just over a year after the GDPR was introduced, one of the UK’s best known brands, British Airways, was made a striking example of regarding what could happen if personal data isn’t protected properly online.
With a landmark £183m fine issued by the UK’s Information Commissioner’s Office to BA in July 2019 – for a customer data breach the previous year – this case was meant to show that companies that carry on with their usual "poor security arrangements" are exposing themselves to a high risk of data breaches, and in turn, will have to deal with the ramifications of the GDPR. The follow-up has been less impressive, but still a talking point for marketers.
When BA’s six-month appeal period concluded last month (January 2020), instead of hitting the company hard with a standard-setting fine, the ICO quietly delayed its decision for nearly another three months. This has led to an industry-wide focus on the ICO’s apparent unwillingness to punish companies that have taken a loose approach to implementing the regulation; frustrating those brands that have gone out of their way to put proper protections in place for their customers, and shaking consumer confidence in regulatory bodies’ ability to enforce GDPR. But the ongoing complexity of the BA case should serve as a lesson to brands wanting to avoid the same fall-out.
Poor security procedures
Despite the BA data breach being executed by hackers who hijacked its ecommerce vendor’s code, because that code was running on the BA website, the ICO held the brand accountable due to its data security practices. The case is interesting because of the attack method: hijacking the website’s code running in an end-user’s browser. The third-party code looked so similar to BA’s own coding that it was very difficult to detect; though not impossible if the company had implemented stringent and real-time tag tracking technology.
When coders build modern websites, they use HTML for the static parts of a page, and JavaScript to provide advanced custom experience functionality. Instead of maintaining all of the code from JavaScript libraries on each page, they tend to inject the code on the fly as the page loads into the browser from a Content Delivery Network.
In this case, the BA site called its ecommerce vendor’s code, which in turn called even more code into the site; some of that code had been hacked and allowed the perpetrators to steal credit card data. The malicious JavaScript stole up to 429,000 customers’ sensitive information and ran for three months before finally being detected.
Modern martech and adtech technologies (including files and redirects) are all delivered in this way, through JavaScript. Well-known functions like Google Analytics, DoubleClick, Marketo and retargeting engines, analytics suites and social media integrations also all require JavaScript to run in the browser to operate, being loaded from remote servers.
The danger is that the JavaScript can be loaded from a remote location and can in turn load JavaScript from another party, known as hidden tags, creating a system of code-calling-code-calling-code, which can be complex and difficult to analyse and predict. You might not know it’s there, but if you’re the owner of the website you are responsible for providing end-user protection. Hence the ICO’s statement about BA’s shoddy security practices.
Consider an upgrade
There’s a lot of martech running around outside of a brand and marketer’s control that can cause these sorts of breaches. Some of the largest brands in the world allow their sub-brands and regional divisions to deploy technology with little governance over what is actually being executed. Without this governance and technology supervision, brands and their consumers are at risk.
Given the growing amount of – and attention on – data breaches or data leaks, consumers are starting to shut down brands’ use of their data. They’re becoming further empowered by new browser changes – think of the privacy protection technology being implemented by Chrome, Safari and Firefox – and additional technology that makes it easier to go incognito. It’s only a matter of time before marketers’ access to third-party data collection is halted.
Given all of this, it’s crucial that brands shift to strategies where consumers engage willingly with them and provide data about themselves. In order to achieve this, though, brands have to earn their way back into consumers’ good graces by establishing trust and goodwill.
Treating customer data in a safe and secure manner is a responsibility all companies must take on whenever they engage in data collection and process transactions online. All the while gaining their consumers’ permission and ensuring they understand their choices, and the value they’ll receive for allowing brands to work with their data. is a great example of a brand letting consumers lead the dialogue, leading with trust building transparency.
The first step is for marketers to work with their web developers and IT decision-makers to make sure their brand is using the right technology to monitor and manage hidden third-party tags in real-time. They need an up-to-date picture of all the code running in the environment of their site, not only the code originally placed by developers, but additional coding from their company, their vendors and advertising partners or from unknown sources.
Second, we all need to change our mindset towards privacy and compliance. Privacy policies must be an integral part of the customer experience design process, not just a click box visual to make them feel protected and give the brand a sense of being compliant with regulations. The BA case might have happened under the GDPR, but these regulations are going to become more relevant to consumers and companies across the world over the coming months.
Third, start asking the right questions right now. What data is being collected? For what purpose? Does asking for this information help customers or just add to the risk of a possible cyber attack? How can there be control over what happens with tags on our site?
Don’t get landed with a fine
In financial terms, at 1.5% of BA’s worldwide revenue for 2017, the threatened ICO fine was a warning for all companies – they could be held to account for not preventing the actions of criminals if their data collection, processing and retention processes aren’t sufficient. Thinking that your company is beyond the scope of the regulators, or starting to worry only when the fines and breaches start happening closer to home, is not the right way to deal with data privacy. Don’t interpret the ICO’s slow start to enforcement as a sign that you can now slacken your approach to GDPR.
The ICO has been under pressure, possibly from a lack of staff or financial resourcing, but it won’t want to be seen as complicit with those companies flouting the law. And after recent criticism, it’s likely to want to make a strong case for itself, against the offenders and the critics.
Darren Guarnaccia is chief product officer at