Stay up to date with notifications from The Independent

Notifications can be managed in browser preferences.

British Airways data hack: these events are happening too often

Tougher regulation is needed to force companies that hold our data to secure it more effectively

James Moore
Chief Business Commentator
Friday 07 September 2018 06:41 EDT
Comments
BA data breach: 'Name, email, address and credit card information' stolen, says CEO

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

Here’s everything you need to have a whale of a time at someone else’s expense: name, address, credit card number, card expiration date, three letter security code.

The sophisticated and malicious hackers that targeted British Airways were able to get their hands on all those details, intercepting 380,000 transactions in total. They also picked up customers’ email addresses. Bonus!

They did not get their passport details or itinerary information. But that’s really not going to come as much comfort to those affected. It amounts to saying: “We’ve just hit you in the stomach, but here, have a paracetamol because it could have been worse.”

Except that it gets worse. Here’s another gut punch: the breach took place between 21 August and 5 September. So it was active for just over two weeks. BA was informed of it by “a third party”, thought to be another airline targeted with a high volume of attempted fraudulent transactions.

And here’s another: customers have been taking to social media, and the airwaves, to say they found out about this stuff not from BA but via the news media, Twitter and other outlets.

Some of those who were contacted received emails that landed in the early hours of the morning. If you’re like me you probably get a lot of guff in your inbox so something coming from a business at that time could all too easily get missed.

Faced with all this, the natural inclination of many people has been to attempt to cancel and replace their cards – forget the “watch your account and if nothing happens don’t worry about it” advice.

But that’s just left them with the frustration of dealing with another industry, banking, that takes a decidedly slapdash approach to customer service: “We are experiencing a high volume of calls at the moment. Please hold the line. Your call is important to us.”

A country that works for everyone, said Theresa May. Here is yet another example of the vast gulf between her rhetoric and everyday reality.

This latest incident comes just a couple of months after a major Ticketmaster hack and another at Dixons Carphone, the electronics retailer.

They all bear striking similarities: delays in the hack coming to light, poor communication after the event (I was caught up in the Ticketmaster occurrence and can testify to that), apologies from executives that sound less than sincere if you find yourself on the receiving end.

It really isn’t good enough.

The affair has hit the share price of BA’s owner IAG, which was trading down 3 per cent at the time of writing, good for £400m off the company’s market value. It’s important that investors have apparently taken the issue seriously, all the more so at a time when the company has been trying to repair its frayed relations with the people who fly with it.

But such falls often prove transitory.

The money required to compensate customers who lose out through fraudulent transactions is real and may have a meaningful impact on BA’s results. Shareholders, accustomed to the ups and downs of stock prices, will likely pay more attention to that, not to mention the potential damage to the company’s reputation.

What is troubling, however, is that I’ve been hearing people talk about such data breaches being “a fact of modern life”. That’s dangerously blasé, and provides a get out for companies that are failing to invest sufficiently in IT, and particularly in data security. How often have you seen IT mentioned in cost cutting plans? It’s worth noting BA’s mania for outsourcing at this point too.

Broadband provider TalkTalk was fined £400,000 after a serious cyber attack in 2015. It affected half as many customers as have been caught up in the BA event. However, for a company like IAG, even a penalty of double that would represent little more than a rounding error in its accounts. Businesses like it will only invest sufficiently if the consequences are sufficiently severe. Regrettably, it’s debatable whether even compensation costs running to tens of millions, and the horror and outrage of customers, are truly cutting it.

The regulatory and legal strings may need to get a lot tighter to truly get the point home.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in