British Airways (UK) has recently suffered the most serious data breach in over 20 years, since the airline has operated online. Hundreds of thousands of its customers‘ credit card details were stolen from its website and app over a two-week period. Forget tackling a major public relations disaster; BA has landed in hot water not only with customers, but also with the British authorities (hint: fines of up to $637 million). And then there are the shareholders, who may have to accept a lower profit as a result of the breach.

“From 22:58 (BST) August 21, 2018, until 21:45 (BST) September 5, 2018, inclusive, the personal and financial details of customers making bookings on ba.com and the airline’s app were compromised.”

That was the official statement released by BA on September 6, 2018, a day after the airline discovered that transactions made on its website and app had been hacked.

"We discovered that something had happened but we didn't know what it was [on the evening of September 5, 2018]. So overnight, teams were trying to figure out the extent of the attack,” the airline’s Chairman and Chief Executive Alex Cruz was quoted as saying by the BBC.

"The first thing was to find out if it was something serious and who it affected or not. The moment that actual customer data had been compromised, that's when we began immediate communication to our customers."

We would call this serious enough, as according to Reuters, the data breach affected about 380,000 card payments with hackers obtaining customers’ account information such as names, home and email addresses, credit card numbers, expiry dates and security codes (but thankfully, not the travel or passport details, as the airline stresses).

Plenty of room for speculation

Cruz has apologized for the breach, saying the company is “deeply sorry” for the disruption caused by the data hack, which he described was a „sophisticated” and “malicious” criminal attack on the company’s security systems.

He also said the attackers had not broken the airline’s encryption but did not explain exactly how they managed to retrieve customer details, noting only that “there were other methods, very sophisticated efforts”, by the person(s) in obtaining the data, Reuters reports.

And since BA has not revealed any technical details about the breach, stating only that it is investigating the data theft “as a matter of urgency”, cyber-security experts have been talking extensively to the media over the possible origin of the attack. One of them, Professor Alan Woodward of the University of Surrey, told this to the BBC:

"They very carefully worded the statement to say anybody who made a card payment between those two dates is at risk. It looks very much like the details were nabbed at the point of entry - someone managed to get a script on to the website."

This means that a piece of malicious code on the BA website or app may have been covertly extracting customer credit card details and sending them to another party while customers were typing them in.

According to Woodward, this is an increasing problem for websites that embed code from third-party suppliers, also known as a “supply chain attack“. But the professor also says it may just as easily have been a company insider who tampered with the website and app's code.

Reprimanded by the highest-level authorities

Although BA states the data breach has since been resolved and its website is working properly, it may not get away with its customers’ data theft as easily as the hackers did.

The line “We take the protection of our customers’ data very seriously,” is now being assessed by the British authorities, which seem to have their eyes set on disciplining the airline under European Union’s (EU) tough data privacy laws.

It all comes down to, as Bloomberg explains, the EU‘s General Data Protection Regulation, or GDPR, which took effect across member states in May 2018 (reminder: the UK is still a member until March 29, 2019).

The regulation requires companies to take technical precautions such as encryption to ensure client data is protected. It also states that companies must notify authorities about breaches within 72 hours after learning about them.

Non-compliance quite simply means fines.

And yes, BA alerted its customers and authorities swiftly enough. In a statement on September 6, 2018, BA said it immediately contacted the affected customers once the extent of the breach became clear, and that it was advising those who suspect they may have been affected to contact their banks or credit card providers.

BA also said it had notified the police and relevant authorities about the incident, those being the UK‘s National Cyber Security Centre and the National Crime Agency.

But under the GDPR, the data breach could still cost the airline a hefty sum. According to the BBC, BA could potentially face fines as much as 4% of the company’s annual global revenue or about $637 million (£489 million) based on 2017 figures, from the Information Commissioner's Office, which is investigating the breach.

And if the maximum penalty would be applied to BA’s parent company’s – International Airlines Group (IAG) – sales of about $30 billion (£23 billion) in 2017, it would reach nearly $1.2 billion (£920 million), according to Reuters.

Shares in IAG dropped 2% in afternoon trading on September 7, 2018, following BA‘s data breach news. Meaning that shareholders could expect the financial toll from the incident to hit its profits over time.

And do not forget – BA still has to compensate the customers whose data has been stolen. As the airline‘s chief said, the company is „100% committed to compensate” them.

"We are committed to working with any customer who may have been financially affected by this attack, and we will compensate them for any financial hardship that they may have suffered," the BBC quoted Cruz as saying.

But 380,000 affected customers? That should translate into another hefty sum for BA, something we will surely hear more about in the days and weeks to come.

READ MORE:
 
Air Canada admitted some 20,000 of its customers may have had their personal information, including passport details, “improperly accessed” due to a recent mobile app breach.