BA: To Fly, To Swerve?
As we near the end of summer, many of us are returning from annual leave while others, like myself, are seeking one last get away. Whatever your situation, some of you who have flown within the last month or two would have used British Airways. What does this matter? Well BA are the latest “victim” to experience a data breach.
I say victim, but I don’t hear anything about any of BA’s confidential documents or other sensitive information being leaked and/or stolen. No, BA are not the victims. Yet again, it is the consumers who are the ones at risk as a result of a breach.
Now, BA have released a statement saying that personal and financial information of 380 000 individuals has been compromised, advising anyone who has made a booking or change to an existing booking between August 21st and September 5th, 2018 to contact their bank or card provider for recommended actions. Take it from me, after waiting 40 minutes to get through to my bank, the advice I received is to cancel your card, wait for up to 6 working days to receive your new card and problem solved right?
No! According to BA boss Mr Cruz, the information taken included name, email address, bank card details, expiration date and CVV. Whilst cancelling your card can protect you to a point, the risk of fraud remains fairly high with the hackers now having the ability to open accounts in your name or sell that data to other criminals who are perhaps more creative.
It will be interesting to see what the investigations find as the root cause of the breach and how the hackers were able to access the data undetected for just over 2 weeks, or 15 days. According to cybersecurity firm RiskIQ, it took a mere 22 lines of code for the hackers to gain access to the data. In addition to this, RiskIQ have speculated that Magecart, who were responsible for the TicketMaster UK breach earlier this year, are responsible for this breach as well. As seen throughout the year (and beyond that), data breaches continue to occur time and time again, when will this stop? When will firms take the protection of client information seriously?
One thing that can be said, we are beginning to see the public hold firms accountable for the loss of data, their personal data. A prime example is the class action lawsuits brought against Equifax last year and now law firm SPG Law are considering suing BA for £500 million. That being said, what have BA done since the breach?
BA have, in my opinion – as an impacted customer, managed the situation fairly. This is supported by BA issuing a statement announcing the breach has been resolved and the website is functioning as normal again, by notifying customers of the breach within 72 hours of BA becoming aware of it (as required under GDPR) and have since promised to reimburse any financial loss incurred by those affected in the breach. However, I would agree that this breach should not have occurred in the first place and that BA have still failed 380 000 customers by inadequately protecting data. The question is, will their actions help the ICO look upon BA favourably or will the ICO look to make an example of them? Only time will tell but for now BA are in turbulent conditions…