Hacks demonstrate airlines’ vulnerability, says Ian Taylor

British Airways and parent International Airlines Group (IAG) engaged in a sharp piece of media management this week.

They had a nasty piece of news to get out. BA had to give notice of a second data breach involving the theft not just of personal data but of customers’ card details, including the CVV card-security numbers which retailers are expressly forbidden to retain.

What did BA and IAG do?

IAG issued an “Update on BA cyberattack” on Thursday afternoon and followed up within minutes with an “interim dividend” announcement, informing the markets of a near 7.5% increase in the dividend the group would pay to shareholders.

The group’s share price consequently rose almost 4% before the end of the day and IAG followed up this morning with third-quarter results showing “strong” trading and a three-month operating profit of €1.46 billion.

The results captured the lion’s share of media attention. Yet the brief cyber-breach statement may yet prove the more interesting set of figures.

Recall that on September 6, IAG-BA revealed the card details of 380,000 BA customers had been compromised between August 21 and September 5.

Now it turns out the details of an additional 185,000 cards were hacked over a three-month period ending a month before the main breach.

Of these compromised cards, 77,000 involved the likely theft of CVV codes.

On top of this, BA also now confirms that 244,000 of the 380,000 cards compromised in the August-September breach “were affected”.

BA has not explained what “affected” means, but we may assume – since the airline has not qualified the term – that the CVV codes of 244,000 cards were swiped, making 321,000 in all.

This is astonishing stuff.

Payment-card industry standards prohibit merchants from retaining these codes. BA insists it did not store them, so the codes must have been scraped as customers keyed them in or intercepted as they were sent for authorisation.

Yet we don’t know what happened, so we don’t know the implications – and whatever IAG knows, so far it is not saying.

Hong Kong-based Cathay Pacific also suffered a cyber breach, we learned this week. In its case, the details of 9.4 million passengers were accessed in a breach the airline first became aware of in March.

The carrier says it “confirmed” in May that personal data had been compromised, but it gave notice of the fact only this week.

Passport and identity card numbers, email addresses and expired card details were among the data compromised.

Cathay shares slumped in trading in Hong Kong following the disclosure.

However, Cathay appears not to have ‘lost’ any payment card security codes – at least thus far.

We don’t need to rank breaches in order of significance, especially when the fall out of any cyber breach can be complex and long lasting. But clearly, the compromise of payments is especially serious for the sector.

Cyber security analyst Sam Curry of Cybereason suggested: “The airline industry has a target on its back.” Indeed, it does.

Fellow analyst Tim Helming of DomainTools noted of the Cathay attack: “This type of breach is wearyingly common. Companies simply need to do better when protecting our data.” Indeed, they do.

Perhaps, they also need to keep less of our data.

The business newspaper the Financial Times noted a contradiction between the need for security and the drive to accumulate data and personalise retail offers, suggesting: “Commercial incentives mean that preventive spending on cyber security can have limited effect.

“Airlines are particularly vulnerable because of the large quantity of data they collect about passengers.”

It suggested: “Disposal limits the impact of data leaks. Instead of thinking about data as ‘oil’ worth storing, companies should consider the analogy of toxic waste.

“Assured deletion is the only plausible reason for consumers to entrust them [airlines] with accurate data.”

The UK Information Commissioner’s Office (ICO) is investigating the BA breach.

It described the cyberattack BA gave notice of in September as “extremely rare” and, following the latest update, noted both that CVV codes had been stolen and that the number of victims had increased.

The consequences for BA could be serious. But airlines more generally could do with considering their data-use, retention and protection.