BA data theft: Customers financials compromised

British Airways has notified the police about data theft - after at least 380,000 of customers credit card information has been hacked from its website and mobile app.

The theft is also likely to lead to a union backlash after criticism of the airline's decision to outsource IT work to India.

Background

International Airlines Group is one of the world's largest airline groups with 546 aircraft flying to 279 destinations and carrying around 105 million passengers each year. The IAG is the parent company of Aer Lingus, British Airways, Iberia and Vueling. It is a Spanish registered company with shares traded on the London Stock Exchange and Spanish Stock Exchanges.

Read our latest update on the BA data theft here

Analysis

The airline said the personal and financial details of customers who made bookings on its website or app from 10.58pm on August 21st until 9.45pm on September 5 had been compromised.

BA said the stolen data did not include travel or passport details, adding that it was investigating the security breach as a matter of urgency. The company said the breach had been resolved and the website was now working normally, and all customers affected by the breach had been contacted on Thursday night.

Alex Cruz, British Airways’ chairman and chief executive, said: “We are deeply sorry for the disruption that this criminal activity has caused. We take the protection of our customers’ data very seriously.”The company said it is communicating with affected customers and have advised anyone who believed they may have been affected to contact their banks or credit card providers.

The National Crime Agency said it was aware of the data breach affecting British Airways and was consulting with partners, including the National Cyber Security Centre, to assess the best course of action.

A spokesman for the Information Commissioner’s Office said they would be making inquiries about the data theft. Alex Neill of Which? said: “British Airways customers will be concerned to hear about this data breach. It is now vital that the company moves quickly to ensure those affected get clear information about what has happened and what steps they should take to protect themselves. 

“Anyone concerned they could be at risk of fraud should consider changing their online passwords, monitor bank and other online accounts and be wary of emails regarding the breach, as scammers may try and take advantage of it.”

The data theft, one of the most serious to hit a UK company, deals another blow to BA’s reputation. In May last year, the airline suffered an IT disaster when a power surge in its control centre near Heathrow caused a global flight interruption and left tens of thousands of passengers stranded, most notably at the London airports. Smaller glitches have recurred, with dozens of short-haul flights cancelled again this July.

In July, Dixons Carphone admitted a huge data theft. Initially, the company said 5.9 million customer bank card details and 1.2 million personal data records had been hacked in 2017 and went unnoticed. Later, the company backtracked on its original figures and amended the total of customer records that had been accessed to a staggering 10 million.

In April this year, Delta Air Lines announced that one of its suppliers had been the victim of a data breach, while last week Air Canada said its mobile app had been breached, potentially affecting 20,000 people.

IAG, which owns British Airways and Spanish carrier Iberia, said last month that first-half profits more than doubled. Earnings after taxation rose to €1.4 billion euros in the first six months of 2018, compared with €607 million a year earlier, IAG said in a results statement.

Assessment

Our assessment is that BA could potentially face stringent fines should it be found negligent, under the new general data protection regulations (GDPR). We feel that there could be a drastic escalation in the penalties slapped on firms for past data breaches, with fines levied at a maximum of 4% of global revenues – which in BA’s case spells an upper limit of £500m. We also believe that in a hyper-connected model where passengers in airports, who prefer faster internet and digital engagement with airlines and retailers opens up a larger surface area for cybercriminals to exploit.