British Airways hit rough turbulence when payment details of over 380,000 customers were stolen in a data breach that could land the airline a £500m fine under the new GDPR legislation.
Customers who made bookings through ba.com or the airline’s app, are now urged to contact their bank and credit card providers immediately.
The company said that customers who used the website between 22:58 on 21 August and 21:45 on 5 September, have had their names, addresses, email addresses, and sensitive payment card details stolen.
Analysts at RiskIQ reported that that hackers used the same tools that was behind the Ticketmaster data breach in June 2018, where cyber criminals used virtual card skimming software to steal data from payment forms.
How will the data breach affect British Airways?
Founded in 1974, British Airways has become one of the largest airline companies within the United Kingdom, carrying over 145,000 customers from A to B on a daily basis.
When clocking up the air miles we are very quick to scrutinize airline companies about delays, how much legroom we get and how bad inflight meals are. While people can often forgive these slight issues, a data breach is much harder to forgive.
This becomes personal and intrusive of the individuals involved and won’t be forgotten quickly. Just after BA was recovering from the reputational damage of last years IT meltdown which cost the business an estimated £58m, British Airways’ reputation and finances will now come under pressure once again.
How will the breach affect British Airways’ reputation?
For a brand of British Airways’ magnitude and the media coverage it now faces, the data breach will have massively damaging effects on the brand’s image and reputation.
According to YouGov’s BrandIndex data, the airline’s ‘impression score’, which measures whether someone has a positive or negative impression on a certain brand, is now 10 points lower than it was in August 2016.
Some victims of the breach have took to social media to express their feelings about the incident, in particular the manner in that BA handled it;
“Atrocious that I had to find out about this via news and twitter. Called bank and had to cancel both mine and my wife’s card. Probably won’t get it back before we fly (ironically).”
“My bank… are experiencing extremely high call volumes due to this breach! Couldn’t do anything other than cancel my card… not how I wanted to spend my Thursday evening.”
Michelle Dewberry, presenter of the Sky News debate programme The Pledge, had the following to say about the situation “Found out re data breach from news, before you had the decency to tell me yourself I was likely affected. I’m travelling alone in Vietnam & have had to put stop on the card, which makes me vulnerable & I’m now spending precious hol time trying to resolve”.
To rub salt into the wound, shares in the owner of BA, IAG, fell by nearly 3% at the end of last week following the breach.
What financial impact will the data breach have?
As well as a drop in sales from a damaged reputation and losses from having to reimburse its customers, BA could face massive fines if it’s found to be in breach of the new GDPR legislation.
BA’s total revenue in 2017 was £12.226bn. Under the new GDPR, the company could be hit with a £500m fine from the ICO, equating to 4% of the company’s global turnover.
A spokesperson from the Information Commissioner’s Office said that it had been made aware of the data breach and said that it was making enquiries.
To make matters worse for BA, a law firm has launched a group action lawsuit for those affected by the breach and estimate that each victim could possibly claim upto £1,250 in compensation.
British Airways aren’t flying solo in their cyber security vulnerabilities. The data breach comes in a recent string of attacks to hit the travel sector with Air Canada confirming in August that 20,000 customers may have had their personal details improperly accessed through the company’s mobile application. Likewise, in July Thomas Cook admitted a data breach which exposed personal details of around 100 bookings. In early 2018, Atlanta based airline company, Delta, announced that the third-party providers of its live chat service had been affected by a cyber incident.
What can we learn from the British Airways data breach?
As far as data breaches go, the British Airways breach is massive. The airline was only alerted to what was happening by a third party.
While this was a result of cyber criminals hacking into the British Airways website or mobile app, data breaches on this magnitude can happen from all angles. The most common method used by cyber criminals is to exploit people within your organisation to gain entry.
The most effective way to mitigate this risk is to give staff first class training in how to make your organisation more secure. Our courses teach your staff about a wide range of security topics including how to craft the perfect password, how to properly handle data and how to stay safe on the web.
If you’d like to see one of our courses in action, you can download our demo course here.