British Airways has suffered a large scale data breach, with nearly 380,000 card transactions compromised.
It was reported that it took 16 days for the breach to be detected, which has been deemed by experts ‘shockingly slow’, particularly post GDPR.
British Airways’ chief executive Alex Cruz has apologised for the breach, wherein which the personal and financial details of customers making bookings between 21 August and 5 September were targeted by hackers.
British Airways has been blighted with IT issues over the last 18 months, with big application failures causing flights to be cancelled in July and also over Bank Holiday weekend in May 2017.
The impact of poor application performance has disappointed thousands of customers who have not been shy in voicing their dismay. It seems the global airline industry should regularly monitor the security and performance of its applications, and not only focusing on keep the planes in the sky.
Paul Farrington, head of EMEA at app security company CA Veracode, calls for more consistency in security and app performance in the airline industry commenting,“The British Airways breach is just another example of how, as the amount of personal data held by organisations continues to grow, hackers are finding more sophisticated ways to gain access to this data and use it to make a profit.
“Furthermore, with GDPR now in full force, the board at BA will have to consider their exposure to regulatory fines, especially when it took 16 days for the breach to be detected, and if the financial losses will outstrip what it would have cost to prevent the breach in the first place.
IT issues are not only affecting BA, but also in the wider airline industry. Airlines have a duty to keep the planes in the air, and the majority of investment goes into that. However, recent outages show investment should also be directed at technology. As airlines become ever more dependent on software, this creates a greater surface for hackers to attack and so it is no surprise that breaches of this scale are becoming commonplace.
Customers are right to be angry. If UK businesses want to avoid becoming the next victim of a breach it is crucial that they take significant steps to secure their software, web applications and networks to ensure that they aren't their weakest points of attack.”
But where does that leave those customers whose data was stolen? Well, in an email notifying customers of the breach, British Airways simply advised that affected customers contact their bank or credit card provider and go from there, although there has been talk of compensation.
That said, Matt Middleton-Leal, general manager, EMEA at Netwrix, believes more customers may have been affected than originally cited, commenting, “While it’s positive to see that British Airways has informed its customers about a breach relatively promptly, it is possible that a larger amount of customers have been affected than stated in the official announcement. With this in mind, as personal and payment data have been compromised, all customers would be wise to change their passwords – this includes any sites where the same details are used – and contact their banks to cancel payment cards.
“As always in the wake of a data breach, consumers should be wary of an increase in phishing emails, in this case purporting to be from British Airways or banks. Hackers will always look to take advantage of the publicity and heightened customer anxiety following an incident.
“As for the impact on organisations, the loss of customers’ personal and financial data has serious reputational implications, and in the era of GDPR, incidents such as this can lead to vast fines. To minimise security risks, organisations should ensure they monitor user behaviour and ensure they can detect attacks in real-time, enabling them to intervene and terminate a suspicious session before an attack results in data loss or compromise.”
British Airways is not only suffering reputational damage but since this latest breach shares in the owner of BA, IAG, fell by nearly 3% on Friday morning, wiping almost 500m of the company’s market value.