The Woes of Airline Travel: Lost Luggage, Poor Food and Now Data Breaches

October 11, 2018 Lee Edge, Senior Risk Advisor EMEA

When the first commercial airline took flight, piloted by Tony Jannus, in 1914, 3,000 people gathered at the pier in St. Petersburg, Florida to watch in awe. The flight only last 23 minutes and it’s fair to assume that Abram C. Pheil, who was a passenger on board, probably wasn’t worried about his luggage being lost, subpar food, or that his personal data would be threatened.

Fast-forward to 2018 and passenger planes are not the only thing in the clouds. We have become increasingly reliant on the convenience that internet connectivity brings. Unfortunately, demand for speed and ease of online booking has come at a price for some airline passengers and the carriers they trusted with their personal data. 

 

Might as Well Place Your Data on the Baggage Carousel

British Airways (BA) has been making headlines after the airline suffered a malicious breach of its website and mobile app. Around 380,000 payment cards - including the three-digit CVV security code on the back of cards – were compromised during the cyber-attack over a two-week period between 21 August and 5 September 2018. Confusion among BA customers was further compounded by news that the data was almost certainly being traded on the dark web immediately after the attack. 

As recently as June – a month after the EU's new General Data Protection Regulation (GDPR) came into force – members of BA's frequent flyer programme received an email reassuring them that: “Your personal information is in safe hands with British Airways. We want you to know you can trust us to respect your privacy and keep your personal information safe.”

The BA cyber-attack is not an isolated incident within the airline industry. In fact, it's just the latest in a growing list of data breaches to be reported:

  • Air Canada recently confirmed a data breach - including passport details - of its mobile app between 22-24 August 2018, affecting up to 20,000 of its customers. 
  • In July 2018 it was revealed that a major vulnerability in Thomas Cook Airlines' booking system had exposed the names, email addresses and flight details of customers.
  • In May 2018, Atlanta-based carrier Delta Airlines announced that its third-party online chat service had been impacted by a cyber incident between September and October 2017, resulting in customer payment information being compromised. 
  • In 2016, Korea's second largest airline, Asiana Airlines, confirmed that its website had suffered a security breach, compromising the sensitive information of thousands of its passengers, including passport information, home addresses, bank account details and phone numbers.

So, what are the implications of a cyber-attack and subsequent theft of personal data to both the airlines and their customers?

 

Sky's the Limit to Your Reputational Damage

Organisations receive and store vast amounts of personal data, bringing the issue of consumer trust to the fore. Established companies like BA build trust over time via proven track records. According to SAI Global's Consumer Trust Index (CTI), a good reputation - even in the absence of direct experience with a company - equated to trust for 76% of consumers.

Hard-earned trust can be fragile, however, even for a company of BA's stature. Particularly when it comes to a private data breach, potentially resulting in identity theft. The CTI reveals that 43% of consumers indicated they would never return to a company if their data had been breached. Put another way, imagine two out of every five customers taking their business elsewhere because of a cyber-attack that could have been avoided. 

 

The Real Reason Behind Increased Baggage Fees

BA could face a hefty fine if found negligent for its handling of the incident. Under GDPR, companies are required to take precautions to protect customer data and notify the relevant authorities of any breaches within 72 hours. If it can be demonstrated that BA didn't do enough to protect the data in question, it could face a fine of up to four per cent of its annual revenue - the airline's total revenue in 2017 was £12.2billion, meaning it could be forced to shell out around £500 million. In addition, estimates from legal experts suggest those impacted by the breach could claim up to £1,250 in compensation from BA.

 

Avoiding the Reputational and Financial Mayday Call

By implementing a robust risk management framework, an organisation will provide itself with a solid foundation for avoiding a crisis in the first place, and a better framework for managing one if and when it occurs. This helps the organisation reduce reputational and financial damage. According to the CTI, 47% of consumers agree strongly that trust can be regained by taking responsibility for the issue, ensuring it isn't repeated and providing ongoing high-quality service. Further, 44% of consumers strongly agree that taking time to understand the cause of the issue can regain their trust, and 36% strongly agreed that compensation for the issue can regain their trust.

The provision of clear information to those affected about what happened and the steps they should take to protect themselves is essential in the immediate aftermath of a data breach. Having apologized, BA was quick to explain the nature of the breach and advise concerned customers to contact their banks or credit card providers and follow their advice. Before confirming the issue had been resolved, BA had notified the police and relevant authorities. In terms of financial compensation, BA chief executive Álex Cruz was at pains to stress that “We will work with any customer affected and we will compensate any financial hardship suffered.”

Companies must take data security seriously to ensure ongoing viability. The most effective means of preventing reputational and financial damage is adopting a proactive approach to cybersecurity detection and response. By stopping data breaches from occurring in the first place, consumer trust in the brand will be protected. And when a cyber-attack does occur, the speed and efficiency of the response is crucial.

 

To talk to us about your data privacy requirements contact us.

 

 

Previous Article
How Good Are Your Internal Auditors?
How Good Are Your Internal Auditors?

Does your internal audit programme produce outcome-driven results that offer strategic and operational valu...

Next Article
CISO in the Hot Seat
CISO in the Hot Seat

We sat down with our very own Chief Information Security Officer, Peter Macarthur-King, to chat with him ab...

Talk to us about your data privacy requirements

CONTACT US