ƒата: 12-09-18 11:25
British Airways faces millions-dollar fines for data breach
British Airways (UK) has recently suffered the most serious data breach in over 20 years, since the airline has operated online. Hundreds of thousands of its customersС credit card details were stolen from its website and app over a two-week period. Forget tackling a major public relations disaster; BA has landed in hot water not only with customers, but also with the British authorities (hint: fines of up to USD 637 million). And then there are the shareholders, who may have to accept a lower profit as a result of the breach.
УFrom 22:58 (BST) August 21, 2018, until 21:45 (BST) September 5, 2018, inclusive, the personal and financial details of customers making bookings on ba.com and the airlineТs app were compromised.Ф
That was the official statement released by BA on September 6, 2018, a day after the airline discovered that transactions made on its website and app had been hacked.
"We discovered that something had happened but we didn't know what it was [on the evening of September 5, 2018]. So overnight, teams were trying to figure out the extent of the attack,Ф the airlineТs Chairman and Chief Executive Alex Cruz was quoted as saying by the BBC.
"The first thing was to find out if it was something serious and who it affected or not. The moment that actual customer data had been compromised, that's when we began immediate communication to our customers."
We would call this serious enough, as according to Reuters, the data breach affected about 380,000 card payments with hackers obtaining customersТ account information such as names, home and email addresses, credit card numbers, expiry dates and security codes (but thankfully, not the travel or passport details, as the airline stresses).
Cruz has apologized for the breach, saying the company is Уdeeply sorryФ for the disruption caused by the data hack, which he described was a ДsophisticatedФ and УmaliciousФ criminal attack on the companyТs security systems.
He also said the attackers had not broken the airlineТs encryption but did not explain exactly how they managed to retrieve customer details, noting only that Уthere were other methods, very sophisticated effortsФ, by the person(s) in obtaining the data, Reuters reports.
And since BA has not revealed any technical details about the breach, stating only that it is investigating the data theft Уas a matter of urgencyФ, cyber-security experts have been talking extensively to the media over the possible origin of the attack. One of them, Professor Alan Woodward of the University of Surrey, told this to the BBC:
"They very carefully worded the statement to say anybody who made a card payment between those two dates is at risk. It looks very much like the details were nabbed at the point of entry - someone managed to get a script on to the website."
This means that a piece of malicious code on the BA website or app may have been covertly extracting customer credit card details and sending them to another party while customers were typing them in.
According to Woodward, this is an increasing problem for websites that embed code from third-party suppliers, also known as a Уsupply chain attackУ. But the professor also says it may just as easily have been a company insider who tampered with the website and app's code.
Although BA states the data breach has since been resolved and its website is working properly, it may not get away with its customersТ data theft as easily as the hackers did.
The line УWe take the protection of our customersТ data very seriously,Ф is now being assessed by the British authorities, which seem to have their eyes set on disciplining the airline under European UnionТs (EU) tough data privacy laws.
It all comes down to, as Bloomberg explains, the EUСs General Data Protection Regulation, or GDPR, which took effect across member states in May 2018 (reminder: the UK is still a member until March 29, 2019).
The regulation requires companies to take technical precautions such as encryption to ensure client data is protected. It also states that companies must notify authorities about breaches within 72 hours after learning about them.
Non-compliance quite simply means fines.
And yes, BA alerted its customers and authorities swiftly enough. In a statement on September 6, 2018, BA said it immediately contacted the affected customers once the extent of the breach became clear, and that it was advising those who suspect they may have been affected to contact their banks or credit card providers.
BA also said it had notified the police and relevant authorities about the incident, those being the UKСs National Cyber Security Centre and the National Crime Agency.
But under the GDPR, the data breach could still cost the airline a hefty sum. According to the BBC, BA could potentially face fines as much as 4% of the companyТs annual global revenue or about USD 637 million (£489 million) based on 2017 figures, from the Information Commissioner's Office, which is investigating the breach.
And if the maximum penalty would be applied to BAТs parent companyТs Ц International Airlines Group (IAG) Ц sales of about USD 30 billion (£23 billion) in 2017, it would reach nearly USD 1.2 billion (£920 million), according to Reuters.
Shares in IAG dropped 2% in afternoon trading on September 7, 2018, following BAСs data breach news. Meaning that shareholders could expect the financial toll from the incident to hit its profits over time.
And do not forget Ц BA still has to compensate the customers whose data has been stolen. As the airlineСs chief said, the company is Д100% committed to compensateФ them.
"We are committed to working with any customer who may have been financially affected by this attack, and we will compensate them for any financial hardship that they may have suffered," the BBC quoted Cruz as saying.
But 380,000 affected customers? That should translate into another hefty sum for BA, something we will surely hear more about in the days and weeks to come.
»сточник информации: AeroTime
ѕерепечатка материалов разрешаетс€ только при наличии гиперссылки на
ѕерепечатка, копирование, воспроизведение или иное использование материалов, в которых содержитс€ ссылка на агентства ”Ќ»јЌ, Iнтерфакс-”крањна, строго запрещено.
ѕозици€ администрации может не совпадать с мнени€ми авторов, публикующих статьи.