UK airline British Airways (BA) is facing rising criticism from tech companies and several other players in the industry after it announced it is investigating the theft of customer data from its website and mobile app.
The largest airline in the UK, BA said on Friday that the personal and financial details of nearly 400,000 of customers who made bookings between 22:58 BST on 21 August and 21:45 BST on 5 September had been compromised.
The attack, which chief executive Alex Cruz described as “sophisticated” and “malicious”, has also had a significant effect on the shares of the airline’s parent group IAG, which saw a drop of 2.79% on Friday.
The company has already been hit by IT problems in the past. In July, dozens of flights at Heathrow Airport were cancelled due to ongoing IT issues at British Airways. In May 2017, further problems with the airline’s IT systems led to several cancellations at both Gatwick and Heathrow airports.
Cruz said in a statement: “At the moment, our number one purpose is contacting those customers that made those transactions to make sure they contact their credit card bank providers so they can follow their instructions on how to manage that breach of data.”
The scandal has been condemned by several stakeholders in the industry who have expressed their concerns about data protection in the aviation sector.
Commenting on the news, Israel Barak, chief information security officer at Cybereason, said: “The British Airways breach once again sheds light on the difficulty companies have protecting the proprietary information of their customers that is their backbone.
“Collectively, this is a blow to our privacy and British Airways joins a growing list of organisations that have faced a knock down punch. As an industry, until we can start making cybercrime unprofitable for adversaries they will continue to hold the cards that will yield potentially massive payouts.”
App security company CA Veracode has called for more consistency in security and app performance in the airline industry. The company’s head of EMEA Paul Farrington said: “The British Airways breach is just another example of how, as the amount of personal data held by organisations continues to grow, hackers are finding more sophisticated ways to gain access to this data and use it to make a profit.
“Furthermore with GDPR now in full force the board at BA will have to consider their exposure to regulatory fines, especially when it took 16 days for the breach to be detected, and if the financial losses will outstrip what it would have cost to prevent the breach in the first place.
“IT issues are not only affecting BA, but also in the wider airline industry. Airlines have a duty to keep the planes in the air, and the majority of investment goes into that. However, recent outages show investment should also be directed at technology. As airlines become ever more dependent on software, this creates a greater surface for hackers to attack and so it is no surprise that breaches of this scale are becoming commonplace.”
This is the third data breach scandal at a major airline this year, with both Delta and Air Canada falling victim to hacks that stole thousands of customers’ data.
According to ThinkMarble data protection lawyer and head of legal services Robert Wassall, the latest BA scandal should work as a wake-up call for all airlines.
Wassall said: “All of these data breaches have created high risks to those affected. Not only is there the possibility of financial loss, there’s also a possibility that the attackers will know or be able to work out when people are going to be away from their homes – and so be vulnerable to break-ins.
“This means it’s crucial when choosing a third party to work with to make effective enquiries about their security arrangements – which should be reflected in a robust contract that complies with Article 28 of the GDPR.”