British Airways fined $328m for lax card security

In Business Resources, Customer Service, Harmonisation

400,000 British Airways’ customers had their credit card data stolen, with some customers frustrated that reported discrepancies went unchecked.

British Airways fined record $328 million after credit card data theft affected 500,000 people – Posted

British Airways faces a record $328 million fine over cyber theft after a hack last year that affected half a million customers — the highest penalty ever proposed under tough new data protection rules.

Key points:

  • The scam in September last year saw customers diverted to a fake website
  • Credit card details were then harvested by the cyber attackers
  • British Airways chief executive said he was “surprised and disappointed” by the penalty

British Airways owner International Airlines Group (IAG) said the United Kingdom Information Commissioner’s Office (ICO) intended to impose a penalty of 183.4 million pounds ($328.6 million) for the theft of customer data from the airline’s website.

The airline revealed last September that the credit card details of hundreds of thousands of its customers were stolen in an attack on its website and app.

The scam saw customers diverted to a fake website where credit card details were harvested by the attackers.

Hackers stole credit card numbers, expiration and three-digit security codes, as well as names, addresses and email addresses.

Information Commissioner Elizabeth Denham said: “People’s personal data is just that — personal.”

“When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience.

“That’s why the law is clear — when you are entrusted with personal data you must look after it.”

The proposed penalty equates to 1.5 per cent of British Airways’ worldwide turnover for 2017.

ICO said its investigation found “poor security arrangements” by British Airways, but the airline indicated that it planned to appeal against the fine.

The penalty was the product of European data protection rules, called GDPR, that came into force in 2018. They allow regulators to fine companies up to 4 per cent of their global turnover for data protection failures.

“We are surprised and disappointed in this initial finding from the ICO,” said Alex Cruz, chairman and chief executive of British Airways.

“British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud [or] fraudulent activity on accounts linked to the theft,” he said, adding an apology to customers for any inconvenience caused.

Willie Walsh, IAG’s chief executive, said British Airways would be making representations to the ICO in relation to the proposed fine.

“We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals,” he said.

British Airways data breach affects almost 400,000 customers, airline promises compensation – Updated

Hackers have obtained the credit card details of some 380,000 British Airways travellers during a two-week data breach that left the customers vulnerable to financial fraud, the airline says.

Key points:

  • Hackers stole card numbers, expiration dates and security codes
  • BA’s CEO said it was a “sophisticated, malicious” attack
  • Some travellers said they noticed fraudulent activity before the breach was detected

British Airways CEO Alex Cruz said enough data was stolen to allow criminals to use credit card information for illicit purposes, and police were investigating.

“We know that the information that has been stolen is name, address, email address, credit card information,” he told the BBC.

“That would be credit card number, expiration date and the three-letter code in the back of the credit card.”

Mr Cruz said the carrier was “deeply sorry” for the disruption caused by the attack which was unprecedented in the more than 20 years that BA had operated online.

He said the attackers had not broken the airline’s encryption but did not explain exactly how they had obtained the customer information.

He added that no passport data had been obtained in what he called a “very sophisticated, malicious criminal attack,” but that British Airways is “100 per cent committed” to compensating customers.

The hack was not discovered until September 5 and has now been resolved, officials said.

“They’ll know exactly when to burgle my house.”

Colin Harbour, who’s a British Airways data theft victim, fears BA may not have revealed the full extent of information compromised from his account.

British Prime Minister Theresa May’s spokeswoman said the Government was aware of the cyberattack and authorities were working to better understand the incident.

“We are aware of the reports and the National Cyber Security Centre and the National Crime Agency are working to better understand what has happened,” she said.

Some angry travellers complained to Britain’s Press Association that they had already noted bogus activity on credit cards that had been used to make British Airways bookings during the time when the breach was undetected.

The hack once again puts the spotlight on the strength of the IT systems at major companies as they expand their digital services.

British Airways experienced an IT-related crisis in May last year when roughly 75,000 passengers were stranded, after the airline cancelled more than 700 flights over three days because of system problems.

In the US, Delta Airlines said in April that payment-card information for several hundred thousand customers could have been exposed by a malware breach months earlier. The same breach also hit Sears Holdings Corp, which operates Kmart stores in the US.

You may also read!


Royal Caribbean ignored NSW Health advice

TTN 26th March 2020 Audio of The Ovation of the Seas captain declaring that passengers would not require quarantine on disembarkment


COVID-19 brings off season early for tourism operators

Image: Proof significant social distancing can stop Australian tourism industry being wiped out. TTN 16 Mar 2020: The ABC's Health


Bad creative gives SA Tourism a bad name

TTN Editorial - After a tousle for SA Tourism's advertising account, international ad agency TBWA has used SA Tourism's


Mobile Sliding Menu