We all book flights online. Usually, that is nothing you have to worry about. But recently, hackers have stolen sensitive customer data from 380,000 bookings with British Airways. Over the course of two weeks, hackers captured data from hundreds of thousands of credit cards of British Airways customers. As a result, the share price of BA parent company, International Airlines Group (IAG) has fallen by more than 3%.
British Airways began contacting affected customers immediately and the authorities have been informed, the airline said. They have already issued an apology to customers and plan to “compensate them for any financial hardship that they may have suffered”.
Criminals captured sensitive data in what Alex Cruz, Chairman and CEO of British Airways, has described as a “sophisticated, malicious attack”. The airline has yet to reveal how exactly the breach took place. The point of attack was the booking system on the internet and the British Airways app where customers made or adjusted their air travel plans.
In total, there have been 380,000 cases in the past two weeks, starting on the evening of 21 August until the evening of 5 September when the breach was discovered. The thieves were able to capture sensitive cardholder data such as names, addresses, e-mail addresses and credit card information, including credit card numbers, expiration dates and three-digit security codes. Travel details and passport data have not been stolen, according to the airline.
In the meantime, the data breakdown has been resolved and customers can safely resume use of the internet booking system, the airline says.
What’s the takeaway?
It is very difficult to protect a network. In particular, a large enterprisewide network with thousands of endpoints, several websites and a huge Omni-channel marketing and e-commerce environment is nearly impossible to secure.
E-commerce makes the situation significantly more complicated. Customers are entering very confidential information, such as credit card numbers and booking details. On the one hand, you have to make sure that the system is user-friendly and ensure a positive customer experience, while on the other hand the system should be secure. This can be a delicate balancing act as added security measures can be an inconvenience to customers as they may negatively impact usability.
Furthermore, many companies aren‘t even aware that they’ve been breached until long after the fact. The average time it takes companies to discover a breach is 170 days. So while companies are obligated to report breaches within 72 hours of their discovery, if the breach isn’t actually discovered until half a year later, significant damage can be done before anyone finds out why or how. Thankfully, British Airways managed to notice the attack while it was still happening, but that is rarely the case.
But the question remains: was this data loss avoidable?
We know that organisations must take every step necessary to protect their customer’s data. Many companies protect their network with a layered approach using complex and effective firewalls, identity access management or intrusion detection systems. But all these countermeasures still aren’t a 100% guarantee that a breach won’t happen. Protecting the system at its core with a data-centric security strategy is the last line of defence to make sure that the data itself is protected and useless to potential attackers in the event of a breach.