Originally Posted by
bisonrav
What sort of business are you involved in @
ThatT1Feeling? What sort of an impact would losing 4% of your revenue have on it? Do you think you would allow employees to send out ANY messaging that was not rigorously checked by lawyers if there were the remotest risk of prejudicing a defence?
The answer is clearly no. It doesn't matter what individuals spend is. BA are probably concerned about customers, but their duty is to shareholders. And rightly so.
The slightly depressing thing here (I work to some degree on cybersecurity) that the bluster and posturing about "bad old useless BA cutting costs and not looking after our data, cost cutting/Cruz blah blah blah, is obscuring some basic and very important facts: this looks like it was about human factors (access/permissions/review processes) rather than cost. Most if not all companies are subject to similar issues, because employees are fallible. If you don't believe me, drop a USB stick in your company car park with a script that emails you when it's inserted. And wait for the email.
This should be a wake up call to everyone. Because it could very well be your business who is facing an existential threat from GDPR fines, and being subjected to ambulance chasing claims. In such cases, you would be telling your staff to stick strictly to the legally approved forms of words. Instead it's becoming a stick to hit BA with for other perceived wrongs and lessons are not being drawn.
But on the substantive issue, not being in the class action is the worst of all worlds. It loses: no effect. It wins: compensation is fixed at a top limit and shared, this is ultimately paid for by customers one way or another so you might as well get a share. The ambulance chasers don't care that this will be peanuts, as their 35% won't be.
For the purposes of this discussion, I am a customer of BA and am a customer caught by both breaches who is both concerned that these breaches have occurred and who is also very disappointed by the way they are managing the fallout.
For BA not to respond to a letter which was purely about some specifics of which data was compromised (so I could have been less concerned about being away from home when the details of my flights could have been out in the open), isn't acceptable. I was purely seeking a factual reply.
I take your point about them having to be really careful not to imply or admit guilt at this stage - I bet their laywers are all over it - but that doesn't excuse what is coming across as a defensive and even patronising set of words about the "criminal theft" and their apparent victimhood in all of this. If they were more adult in their comms, I might be less disappointed in them.
I agree that in this case, the breach appears to have been at the point of transaction rather than a breach of the underlying stored data - but the way it's happened, with other breaches being found during the investigation and the fact that it was undetected for some weeks, leads me to have concern about their broader approach to cyber security.
Whether my business could cope with a 4% fine of turnover is interesting but I would argue not really the point (although it's kind of you to have answered the question you posed to me in your following sentence, thereby saving me the trouble)! Certainly I'd rather not be caught out in such a way but the point here is that data security is quite rightly seen as a key legal requirement of being allowed to do business online in the territories covered by GDPR. It's set high for a good reason and it should have focused minds - that's the point. If BA has done what they should under the law and were caught out by something which reasonably could not have been prevented, then the ambulance chasers will lose, the lawyers will take a hit on at least the cost of the insurance and in many ways I will be happier if that's the result.
And finally, back to your first question. I undertake digital transformations of client businesses, including building and securing online payment transactions, be they through b2c websites, b2b websites or other data integrations. Ironically I am also a (small) BA shareholder
