British Airways are facing more issues in a string of bad luck after announcing a data breach which has impacted 380,000 customers. Occurring over two weeks between August 21st and September 5th, both personal and financial data was stolen, including names, email addresses and sensitive card information (as well as the three-digit CVV number on the back of the card). BA has advised that the compromised data doesn’t include travel or passport details.
As it is prohibited under international standards set out by the PCI Security Standards Council, BA insists it did not store the CVV numbers. Security researchers have speculated that the card details were intercepted during payment transactions, rather than harvested from a BA database.
Ross Brewer, from security intelligence firm LogRhythm said:
“The scale and nature of this attack is astounding, with around 380,000 customers knowingly affected,”
Customers that bought tickets from British Airways throughout the two-week period, either through the ba.com website or their mobile app, are being urged to contact their banks and credit card providers for advice on how to proceed. The airline has promised to compensate for any financial loss or hardship. As a result, shares in BA parent group IAG were down by 3.44% in early afternoon London trade.
With the new General Data Protection Regulation (GDPR) in place, British Airways could be facing huge fines from the Information Commissioner’s Office (ICO) as they look further into the breach. GDPR has imposed an escalation in the penalties placed on firms for data breaches, fines are now levied at a maximum of 4% of global revenues, for BA this could mean an upper limit of £500m.
Alex Cruz, chief executive of British Airways said:
“The breach has been resolved and our website is working normally. At the moment, our number one purpose is contacting those customers that made those transactions to make sure they contact their credit card bank providers so they can follow their instructions on how to manage that breach of data.”
Data breaches are becoming more frequent as most businesses are deciding to move their services and operations online. Despite BA taking ‘urgent’ steps to resolve the issue, customers are voicing their frustrations towards the airline, with many finding out about the stolen data over Twitter or the BA website rather than being contacted directly.
Consumers were left forced to cancel their cards with immediate effect to avoid any further complications. Unfortunately, many have been struggling to get through to their banks because of increased call volume and ba.com account password resets are proving difficult, receiving continuous ‘Reset Password Error’ messages during their attempts.
British Airways are not the first airline to become victim to a data breach as Thomas Cook admitted names, emails and flight details had been accessed in July 2018. Towards the end of August 2018, Air Canada also confirmed that 20,000 of their mobile app users had been breached and Delta Airline were subject to two data breaches throughout September and October 2017.
Executive Director of Which?, Alex Neill said:
“British Airways customers will be concerned to hear about this data breach. Anyone concerned they could be at risk of fraud should consider changing their online passwords, monitor bank and other online accounts and be wary of emails regarding the breach as scammers may try and take advantage of it.”
A breach such as this further highlights the importance of maintaining a high level of security whilst taking payments, including a review of how sensitive data is received and transmitted, rather than just how it is stored.
To minimize the impact of a data breach, it is imperative organizations evaluate the security of their entire network for taking payments, ensuring that their customers data is safeguarded. PCI compliance throughout their applications, systems and services is crucial when it comes to reducing the threat of malicious cyber-attacks.