Data breach makes huge fines and pay-outs inevitable, says Ian Taylor

British Airways is in trouble. The data security breach which saw BA lose the bank details of 380,000 customers between August 21 and September 5 “might be the worst financial data breach of all time”, according to at least one cyber security expert.

The business newspaper the Financial Times agreed, noting: “Other hacks have been much larger, [but] this is one of the worst in history.”

BA gave public notice of the breach on the evening of September 6 so it at least complied with the EU General Data Protection Regulation (GDPR) requirement to give notice within 72 hours.

Unfortunately, that is about all the airline appears to have got right.

We can also concede the carrier was unlucky to be the first major European company to fall foul of such a serious breach this side of the GDPR coming into force.

But that is the extent of expiating circumstances.

BA did not just lose customers’ personal details and credit card numbers, it lost the three and four-digit security codes – the card verification value (CVV) codes – designed to protect against online fraud.

Merchants are not supposed to retain these. Payment card industry safety standards prohibit it.

BA insists it did not store the codes. In that case, they must have been scraped as customers keyed them in or intercepted as they were sent for authorisation.

Either way, it is as serious a breach of the payment process as there can be.

A tech security company, RiskIQ, claimed to have identified the attacker as credit-card skimming group Magecart, which carried out an attack, revealed in June, on US ticket sales site Ticketmaster.

RiskIQ suggested the attack compromised the BA site directly, re-writing BA site codes “to steal data consumers enter in online payment forms”.

BA declined to comment.

Another security researcher suggested responsibility lay in a vulnerability on BA’s webserver, adding that “might say something about resources in their IT department”.

Certainly, there are widespread suspicions that BA and parent IAG have scrimped on tech spending.

Customers expressed anger at responsibility for dealing with the consequences of the attack –cancelling cards – being put on to them.

Banks had to issue hundreds of thousands of replacement cards. One BA customer – the head of a major UK travel company – reported having to cancel four credit cards as a result of the breach and, as of yesterday, he had still not heard from BA.

Several banks cancelled all cards used on the BA site and app over the course of the 15 days without waiting to hear from the carrier.

Damningly, on September 12 the Financial Times reported: “Some [banks] say they still have not heard directly from BA.”

Santander noted that replacing the cards “mitigates this risk [of fraud] but does not eliminate it”. Other banks pointed out that it could be weeks before frauds occur.

In an email to customers and in a statement, BA chief executive Alex Cruz promised compensation to those who “suffered financial losses as a direct result of the theft”.

Let him try making that stick.

The UK Information Commissioner’s Office (ICO) described the breach as “extremely rare” and is investigating. It is certain to penalise the carrier.

The ICO has the power to impose a fine of up to 4% of global turnover – £500 million (€560 million) in this case.

It will consider not just direct financial losses but “the extent of any exposure to physical, financial or psychological harm” – and that will form the basis of all customers’ claims and legal action.

Multiple lawsuits and, no doubt a class action, are certain. The banks are also sure to seek recompense.

Beyond BA, the breach raises wider questions about the rush to digitise and connect every aspect of air travel.

Carriers are in the firing line on cyber security since they make attractive targets for those seeking payment data just as airline ticket sales have previously been a magnet for fraudsters.

A consultancy report in May this year warned the “hyper-connect model [of] fast internet and digital engagement with airlines [creates] a larger attack surface for cyber criminals to exploit”.

The response from other, often loud voices in the sector has been notably mute. Even Ryanair’s Michael O’Leary declined to score points off BA, instead noting “the enormous challenges around data protection”.

However, O’Leary could not resist one pot shot, saying: “We have not subcontracted out a lot of our IT and digital development” as BA has done.

One aviation analyst told the Financial Times (FT): “If I were a criminal looking for an airline to target, I would look for an airline such as BA that has been through a period of austerity.”

The FT noted parent group IAG’s most-recent annual report detailed €90 million in cost savings in the group’s back office, including IT services.

In the circumstances, it is hard to see how Alex Cruz can survive – or the fall-out not spread to IAG where the silence from chief executive Willie Walsh will be construed as more meaningful the longer it continues.

Cruz was widely ridiculed for his video apology to customers following last year’s IT meltdown at BA.

This time we have not even seen a video.

MoreHackers steal bank data from almost 400,000 BA customers

BA data breach ‘highlights value of booking via agent’

BA faces multi-million pound lawsuit on top of possible data breach fine