British Airways: the rare case of regulation actually working


Last week, British Airways (BA) announced to the world that it was a victim of a cyber attack, and that confidential financial information of roughly 380,000 customers had been stolen.

The only silver lining to this situation is really the fact that its customers were notified of the hack within 72 hours of its occurrence. A miracle, by any standards.

Thanks to the May release of the EU’s new General Data Protection Regulations (GDPR), people are more involved with corporations than ever in the quest to achieve information-parity and an understanding of how their data is being harvested, kept and used. Because of these laws, BA was forced to disclose the details of the hack or risked paying large fines on the count of withholding vital information.

Are congratulations in order? Historically, much time has lapsed before companies revealed details of a security breach. Although hacked in 2014, Yahoo only told its customers in 2016, and later admitted to compromising the details of a further 2 billion accounts in 2013. It does seem that BA’s 72 hours may in fact be worthy of appraisal.

But that is probably where the commendation stops.

In terms of scale, BA’s hack is relatively small, but the damage is worse: not only did cyber criminals gain access to the private information and credit card numbers of customers, but they also managed to get away with the three or four-digit CVV security codes of the credit cards – the final security measure against online fraud.

CVV codes are not supposed to be stored by online merchants, which is perhaps why this particular hack is doubly shocking. In fact, according to the British Information Commissioner’s Office, this type of data breach is incredibly rare.

BA’s emergency response unit appeared to be flustered in their attempts to address the hack, in contrast to leading UK banks such as Santander, Barclays and Monzo who in the past have responded immediately by reissuing credit cards to those even potentially impacted by the breach.

While BA’s customers who have “suffered financial losses as a direct result of the theft” will be compensated, little else has been done to reassure clients. The two emails and public statements issued have not yet explained the reason for the security breach, but the rumour is that cost-cutting in the technology department is the reason for the downfall.

And if you consider the events of May 2017, when BA experienced a global IT system failure which left 75,000 passengers stranded due to grounding of over 700 aircrafts, although unrelated, does say something about the standard of technology in BA.

A spokesperson for the airline commented: “This was a sophisticated criminal act. We are investing more in cybersecurity than ever before and will continue to do so.”

The saying goes: better late than never. But in the case of BA and the financial consequences that are to ensue, will it be enough to cover their reputation? Only time will tell.

About Lee Hazell

Lee Hazell is a cyber security consultant with a keen interest in anything tech or security related. Follow Lee on .

Leave a Reply

Your email address will not be published. Required fields are marked *