BA praised for swift GDPR-aligned action on data breach

Security industry commentators have commended British Airways (BA) for is swift action and transparency in alerting customers to a data breach.

The airline has alerted affected customers, police and the Information Commissioner’s Office (ICO) about the theft of customer data from the company’s website and mobile app.

The incident is also reportedly under investigation by the National Crime Agency (NCA) and National Cyber Security Centre (NCSC).

Personal and financial details of customers making bookings and changes on the BA website and mobile app between 22h58 on 21 August and 21h45 on 5 September are believed to have been compromised.

However, the airline said the stolen data does not include travel or passport details and that Executive Club accounts were not affected.

According to BA, the incident has been resolved. As a result, all systems are working normally and no travel will be affected.

The airline said it is investigating the incident “as a matter of urgency” and that it was “deeply sorry for the disruption that this criminal activity has caused”, adding that it takes the protection of its customers’ data “very seriously”.

Any BA customers who think they may have been affected by the data breach are advised to contact their bank or credit card provider, but the airline said it had contacted all affected customers directly.

BA has also undertaken to reimburse customers for any financial losses and to provide a credit checking service. Around 380,000 transactions were affected, according to BBC news.

The data breach is the latest in a series of IT-related problems to hit the airline. In May 2017, a power failure caused the airline’s check-in, baggage handling, booking and contact centre systems to fail. In August 2017, an IT failure led affecting check-in systems caused flight delays at Gatwick and Heathrow Airport. In June 2018, more than 2,000 tickets were cancelled due to incorrect pricing. Then, in July 2018, IT problems led to dozens of flights to and from Heathrow Airport being cancelled.

The breach is likely to be the first UK case since the European Union’s (EU’s) General Data Protection Regulation (GDPR) and UK GDPR-aligned Data Protection Act 2018 came into force, and could result in stringent measures including a potentially huge fine if British Airways is found to have acted negligently.

However, by alerting the authorities and affected customers apparently within 72 hours of discovering and resolving the breach as required by the GDPR, the airline is off to a good start.

“BA’s reaction was very fast. The company’s transparency and frankness serve as a good example to other companies who are prone to minimising the consequences,” said Ilia Kolochenko, CEO of web security company High-Tech Bridge.

However, he said it was too early to make any “definitive conclusions” before a comprehensive technical investigation of the breach and its origins.

“Shadow IT and legacy applications are a plague of today. Large organisations have so many intertwined websites, web services and mobile apps that they often forget about considerable part of them,” said Kolochenko. 

“On the other side, cyber criminals are very proactive, and as soon as a new vulnerability is discovered in a popular CMS [content management system], they start exploiting it in the wild. Obviously, abandoned systems remain unpatched for years and serve a perfect prey to the attackers.”

Kolochenko also noted that web applications are the “Achilles’ heel” of modern companies and organisations, while lawmakers are making their lives even more complicated by introducing strict data protection rules.

“Due to the GDPR, for example, many organisations had to temporarily give up their practical cyber security and concentrate all their efforts on paper-based compliance. New cyber security regulations may do more harm than benefit for the society if improperly imposed or implemented,” he said.

Jake Moore, security specialist at ESET, warned that after a large-scale incident like this, fraudsters worldwide will inevitably jump at the chance to try to catch a few unsuspecting people out.

“Anyone receiving any emails purporting to be from this incident or mentioning it, which ask for any personal information or to click on unverified links, should discard those emails,” said Moore.

“If your data is included in this breach, you’ll need to take action to protect yourself. If you find your credit or debit card has been compromised, consider requesting a new card.”

Moore also recommends that BA customers potentially affected by the breach should check their card statements for suspicious activity or purchases online.

“It goes without saying to change your BA.com password. After any breach of such velocity, it is always a good idea to change your passwords along with the same ones used on other websites,” he said.  

Bill Evans, senior director at One Identity, said it is heartening to note that BA is working with those individuals whose card payment information was breached as well as working with authorities all seemingly aligned to the GDPR.

“While it’s far too early to tell how this latest breach occurred, usually these types of cyber crimes are the result of poorly managed privileged accounts which are the accounts that have access to most, if not all, IT systems,” he said.

“Protecting these accounts is perhaps the single most important security step any organisation can take, followed closely by multi-factor authentication and access governance.”