Every so often, regulation works. Last week’s disclosure by British Airways that cyber criminals had stolen the financial details of 380,000 customers was one of those rare times.
Historically, companies have waited months, even years, to tell their customers about a data breach. Yahoo, for example, delayed disclosing a massive 2014 data breach involving 1bn accounts until 2016, and then admitted a few months later that another 2bn accounts had been hacked in 2013.
But the EU’s new General Data Protection Regulations, which went into effect in May, require companies — on pain of large fines — to disclose hacks within 72 hours. BA duly complied last week.
For that, I guess, the company’s leadership should be congratulated. The rest of its behaviour in this sorry tale leaves something to be desired.
Although other hacks have been much larger, this one is to my mind one of the worst in history. That’s because BA not only lost customers’ personal details and their credit card numbers, it handed the bad guys the three and four-digit security codes that are the last line of defence against online fraud.
The security codes, known collectively as CVV (and individually as the CVV2, CVC2 or CIC number depending on the card issuer) are considered so vital and vulnerable that merchants are not supposed to keep them on their websites, under safety standards set by the payment card industry.
BA insists it did not store that data, yet hackers were somehow able to make off with CVV numbers belonging to BA customers who paid to book or change tickets between August 21 and September 5. The UK Information Commissioner’s Office says such breaches are extremely rare.
The lost data are so important that several UK banks, including Santander, Barclays, and newcomer Monzo, have already cancelled and reissued any credit card that had been used on the BA website and app during the 15-day vulnerable period. The lenders acted purely on the press reports, without waiting to hear from the airline or for signs that the data were being misused. Good thing too. Some of them say they still haven’t heard directly from BA.
BA customers, meanwhile, have received at least two emails from the airline’s chief executive Alex Cruz. The first encouraged them to contact their banks, and the second promised compensation for customers who have “suffered financial losses as a direct result of the theft”. No word yet about people who lost time sitting on hold for their banks or had to wait for new credit cards.
Neither the customer emails nor the airline’s public statements to date have offered any explanation for how BA managed to lose such vital information. Some critics of the airline have asked whether its parent IAG has focused too much on cost-cutting and failed to invest sufficiently in technology. This is its second big problem in two years — last May, BA’s global IT system crashed grounding more than 700 flights and leaving 75,000 passengers stranded.
To be fair, the two problems are almost certainly unrelated except as part of a general window into BA’s IT. An airline spokesman insisted, “This was a sophisticated criminal act. We are investing more in cyber security than ever before and will continue to do so.”
Given the seriousness of the hack, customers and investors could legitimately expect to hear not only from Mr Cruz but also from his superiors at IAG.
“Board members and senior management teams must be proactively involved in understanding and addressing cyber risk management, and in particular, the response elements of an incident,” says Phil Beckett, managing director for disputes and investigations at consultancy Alvarez & Marsal.
But IAG boss Willie Walsh so far has left Mr Cruz to take the heat. A spokesman says the chief executive is “fully aware and supporting” his underling.
He had better be. After all, the potential fines under GDPR can be up to 4 per cent of global revenues, or £500m in BA’s case.
Even if the airline avoids the highest fines because of its prompt disclosure, its costs will not stop there. When US retailer Target lost millions of credit card numbers in 2013, customers’ financial details soon appeared for sale online and fraudulent transactions rose.
Target eventually calculated that its net cost after insurance from the data breach had been $202m, of which regulatory settlements accounted for just $18.5m. That hack was much larger than BA’s but did not involve wholesale theft of security codes.
Not every hacked company pays the price, at least not right away. One year after Equifax revealed a data breach affecting 143m people, the credit agency has so far avoided major penalties, and its share price has largely recovered from its early tumble.
BA is unlikely to be so lucky.
Source : https://www.ft.com/content/a301f46a-b4df-11e8-bbc3-ccd7de085ffe868