It’s a situation that could happen – and has – to countless companies. From Yahoo to the NHS, no business or organisation, it seems, is immune to cyber security risks.
And the travel sector is no exception. Last year it was Abta; last month Butlin’s; and last week British Airways.
It is this latter breach, though, that is particularly worrying. Firstly, there’s its scale – some 380,000 transactions affected, a figure described by security experts as “astounding”. Secondly, the theft was not just of customers’ personal details, but of their financial information and – crucially – their CVV card security codes.
The airline is not unique in suffering a cyber attack. But is it to blame for its failure to prevent one? The fact fines can be issued to those who suffer such data breaches (up to £500m in the case of BA, thanks to GDPR) would suggest so.
There is also some doubt over the carrier’s cost-cutting measures: have they gone too far? Complimentary food and drink were removed from short-haul economy services – did BA’s desperation to curb costs also stretch to its IT systems?
BA insists not. A spokesman told the Financial Times the airline is “investing more in cyber security than ever before”. But this will be of little comfort to the hundreds of thousands of affected customers.
To its credit, BA did at least respond more swiftly than after its 2017 IT meltdown. Full-page apology ads appeared in national newspapers, and the airline has promised “100%” compensation to any customers who lost money. This, on top of a potentially hefty GDPR fine and reputational damage though, could lead to a substantial bill.
For once, agents weren’t left to clear up BA’s mess. The airline has insisted only direct bookings were affected by the incident – GDS bookings are, for now, safe. Either way though, BA’s data breach is a timely reminder all travel companies, big and small, should invest in their cyber security.