BA’s data breach: the costs

On 6 September 2018 British Airways (BA) announced that it had been hit by a cyber attack, resulting in data from around 380,000 booking transactions being stolen.

The theft took place between 21 August and 5 September, with both personal and financial details of customers being compromised. When informing people affected by the compromise, BA admitted that the data harvested included bank card numbers, expiry dates and cvv codes.

Like other companies, BA is not permitted to store cvv codes: the fact that they were taken suggested that they were scraped as customers keyed them in.

Indeed, within days, a code analysis found evidence of a script that had been designed to steal financial information by 'skimming' the details entered on the payment page before it was submitted. The same script was found both on BA’s website and its mobile app, and it has now been concluded that the most likely perpetrator of this attack is a hacking group called @Magecart. This group has been around since 2015 and is believed to have been responsible for a number of high-profile attacks, including the breach of Ticketmaster in June this year.

BA is likely to face the highest level of fines due to the amount of sensitive data that was stolen. Under the EU’s General Data Protection Regulation (GDPR) that came into force in May 2018, it could be forced to pay up to four percent of its global annual revenue. The company is owned by International Airlines Group (IAG); it is unclear whether the fines would be levied against BA itself - in which case they would total something in the region of £500 million - or IAG, in which case they would be even higher.

BA will also be liable for other costs resulting from this data breach. Customers who have been affected may claim compensation, not only due to any financial losses they may have suffered, but also because of the theft of their personal data. This is thought to include information such as names, and physical and email addresses.

High street banks, which are repaying stolen funds to their account holders, are also likely to sue BA for compensation. It is too early for the costs involved to be calculated; customers may not yet know whether or not their payment cards have been used for fraudulent purposes, although the immediate replacement of credit and debit cards obviously helps to mitigate the risks.

While BA reported the incident in an extremely timely manner (if only to adhere to the stipulation in GDPR that all such incidents must be made public within 72 hours), it has nonetheless come in for criticism over its response to the attack.

It was claimed that BA had not provided sufficient information when announcing the breach, and that the company’s statements did not inform customers clearly enough that their financial data had been stolen, instead simply advising them to contact their banks. The failure to highlight the theft of cvv numbers was a very serious omission.

Reputational damage is of course difficult to assess, particularly in the short term. It is certainly important that customers see that BA has taken appropriate action. It is also evident that BA is in a somewhat enviable position: passengers booking flights have little choice but to rely on it, due to its market share and ownership of the majority of landing slots in the UK, which offer little chance for other companies to compete effectively.

BA was also hit by a serious computer failure in 2017: this left 75,000 of its passengers stranded. Yet despite a great deal of adverse media publicity, demand for its flights does not appear to have been affected.

As an aside, it is also worth noting that BA is not the only airline hit by a cyber attack in recent months. On 29 August Air Canada sent out emails to all customers asking them to change their passwords for its mobile app after "unusual login behaviour" was detected. The following day it was revealed that data had been stolen from around 20,000 people, though financial information was apparently not taken.

Whether or not these recent attacks suggest that the aviation sector is currently under attack, the BA breach offers an opportune reminder of the difficult task facing cyber security teams operating within any organisation involved with the processing and storage of personal data.

As well as the necessity of identifying data breaches as quickly as possible, for obvious reasons, the 72-hour window permitted for announcing the compromise once it has been discovered places further stress on staff. Even while reporting it to the appropriate authorities, employees need to assess who has been affected, how many records have been compromised, and what type of data has been stolen: all this must take place while they are dealing with the problem to ensure there is no further compromise. This all follows on from the challenges of identifying the breach in the first place.

Interestingly, IAG had been planning to outsource its cybersecurity operations to IBM, in a quest for a company-wide proactive approach to dealing with cyber threats. BA had approved the scheme. Were there concerns about the abilities of staff currently employed in the IT division? Was there a failure to attract a sufficient number of highly-skilled experts? Or was there simply a desire to cut costs?

Note: BA will of course have high levels of cyber insurance in place: as well as claiming for the fines meted out under GDPR, or for compensation payments for both customers and banks, further lawsuits could be forthcoming.

BA will also attempt to keep its losses to the absolute minimum, and in its efforts to do so could even launch legal action against the Lithuanian company Time4VPS, which hosted the domain used by @Magecart. During their careful preparations for the attack, the hacker group had bought and registered an SSL certificate, and used scripts specifically targeting the British Airways payment systems, something which the airline may claim points to lax security practices on the part of Time4VPS.

However, it is worth noting that it is NOT the responsibility of the provider to police the content they are hosting unless they are made aware through direct or indirect observation that such content is obviously illegal or harmful in some way.

As the consequences of this serious data breach continue to unfold, the outcome will surely be higher costs for customers as BA seeks to recoup its losses.