British Airways boss says compensation is on the cards after major data breach

7 Sep 2018

British Airways plane in flight. Image: NextNewMedia/Shutterstock

Hundreds of thousands of customers’ payment cards are affected following data theft at British Airways.

Another global airline has suffered a data breach – this time, it’s British Airways.

The company revealed on Thursday (6 September) that bad actors managed to remain undetected in its system for two weeks. 

British Airways app and website compromised

The attack began on the Ba.com website and mobile app on 21 August and was only halted on 5 September. The website is now working as normal, according a statement from the airline’s parent firm, IAG.

It said: “The stolen data did not include travel or passport details. From 22.58 BST August 21 2018 until 21.45 BST September 5 2018 inclusive, the personal and financial details of customers making bookings on Ba.com and the airline’s app were compromised. The breach has been resolved and our website is working normally.”

The covert operation allowed around 380,000 pieces of card payment data to be exposed. The company is communicating with affected customers, advising them to contact their financial services provider. 

CEO apologises

CEO of British Airways, Álex Cruz, apologised on BBC Radio 4 today (7 September). He said that the company would work with affected customers and “compensate any financial hardship suffered”.

According to Cruz, a partner of British Airways informed the company of the attack on 5 September. He added: “The moment that actual customer data had been compromised, that’s when we began immediate communication to our customers.”

Shares in IAG fell almost 3pc today. Last year, the airline experienced a major IT issue that left tens of thousands of passengers stranded.

Could a fine be on the way?

The Information Commissioner’s Office (ICO) in the UK is looking into the breach and the possibility of fines for the airline.

Oz Alashe, CEO of UK cybersecurity firm CybSafe, told Siliconrepublic.com: “Under the relatively new GDPR regulations, companies can be fined up to 4pc of their global revenues. At the very top of the scale, and depending on the view of the ICO, BA could be facing a fine of up to £500m for this incident.”

Matt Lock, director of solutions engineers at threat detection firm Varonis, said: “The world will be watching to see if the incident results in high fines.”

He added that the company did report the incident in good time and took swift action, but lamented the work customers must need to do to secure their information. “Consumers, once again, are going to need to devote their personal time and effort ensuring fraudulent transactions don’t appear on their credit cards or affect their financial wellbeing. That’s a far cry from preparing for the big trip they just booked.”

British Ariways plane in flight. Image: NextNewMedia/Shutterstock

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects

editorial@siliconrepublic.com