British Airways data breach shows why every company needs a Cyber Incident Response and Crisis Communication Plan

14/09/2018

Written by Kathrin Wartmann

British Airways announce breach

On 6 September the British Airways (BA) official company Twitter account published a tweet stating: “We are investigating the theft of customer data from our website and our mobile app, as a matter of urgency.” This was the first public notification of the data breach suffered by the airline. News of the breach was quickly circulated by journalists in the UK and globally.

PERSONAL AND FINANCIAL DETAILS STOLEN

On the BA website, a short press release containing more information was available. According to this, customers who had made or changed bookings on the company’s website or app anytime between 2258 BST 21 August 2018 and 2145 BST 5 September had their data stolen. This includes the names, email addresses, credit card numbers, expiry dates and three-digit CVV codes used in approximately 380,000 transactions.

At the time of writing it is unclear exactly how the hackers managed to steal the customer data. BA states that the cyber attack had not been a breach of encryption but rather a ‘sophisticated’ effort by cyber criminals. Cyber security specialists suspect that hackers managed to embed a piece of malicious code on the BA website that extracted the personal and credit card data when customers typed in their details online.

CRISIS COMMUNICATION IS KEY TO REDUCE REPUTATIONAL DAMAGES

On 7 September BA informed affected customers via email that their personal and financial details had been compromised. BA advised affected customers to contact their banks or credit card companies and assured them that BA would reimburse any “financial losses suffered by customers directly” because of the data breach. At the same time as the emails went out, BA CEO Alex Cruz gave an interview to the BBC, apologising to all BA customers and reiterating the promise that “no BA customer will be left out of pocket”.

Throughout 7 September customers’ reactions on social media (mainly Twitter) provided an indication of the high level of public outrage regarding the data breach. Many customers were particularly irritated that they first learned of the incident through the media on 6 September and only later received a direct notification from the company via email. There was also wide lack of understanding how data breaches can keep happening to large, international companies that should have the resources to put sufficient measures in place to protect customers.

Recent years have seen a significant number of similar incidents affecting companies such as Ticketmaster, Uber, and T-Mobile. Customers, the media and the general public are increasingly aware of the lack of cyber security best practises and the consequences suffered by those affected by data breaches. A data breach can seriously harm a company’s reputation and competitiveness. Furthermore, the EU’s new General Data protection Regulation (GDPR) requires that companies notify authorities of any breaches within 72 hours. This increased time pressure means companies should have crisis response and communication strategy in place before an incident occurs.

HOW NYA CAN HELP

NYA can support clients to improve their resilience through cyber security training, awareness programmes for employees and the development of an adequate crisis community strategy. In order to mitigate the impact a cyber attack can have on a company’s reputation and operational ability; a cyber incident response plan needs to be in place. Simulated incident workshops can test and improve incident management and response plans. NYA can support the review of cyber incident and cyber response policies and procedure to ensure the uniform application of Best Practice standards at all levels.

Contact us here to find out more.

Our crisis response consultants provide you with practical advice, options and scenario planning based on tried and tested procedures.

Find out more