It’s been a couple of months since British Airways’ website was hacked and roughly 380,000 of its customers’ personal data compromised. The dust may have settled since the debacle, but as we reflect on BA’s handling of the situation we can highlight a couple of lessons learned:
Any business can be hacked
British Airways is a big business with a complex website and an army of IT experts at its finger tips. Yet its customers’ data was breached, and payment details were stolen between 21 August and 5 September 2018.
It’s not the only company to get hacked – recently Air Canada said that 20,000 people using its app had their data “improperly accessed” and Thomas Cook admitted that around 100 bookings had been compromised.
It seems travel businesses are a favourite among hackers as there’s a plethora of juicy information to access such as name, addresses and credit card numbers, which are all standard bits of information demanded by airlines when passengers book tickets.
While you may believe that your business is a minnow compared to the big fish that is BA, it doesn’t mean that you won’t be a hacking victim one day. Hackers are ruthless, and they don’t care about size.
Make sure you inform your customers in a timely manner
At the very least don’t just share the fact that you've had a data breach on a social media platform. Make sure you break the news efficiently and clearly. According to an article in The Telegraph, customers ‘raised concerns that the airline had not contacted them directly about the hack’. One customer told the paper, “I saw the tweet, that was the first I knew of it’.
If there’s a problem, it’s your company’s obligation to inform customers immediately – there’s even regulatory rules around this. Under GDPR rules, companies must inform regulators within 72 hours of becoming aware of a data breach attack. Be clear about what happened in the attack and what information it is that’s been compromised. Leaving customer with too many unanswered questions will just lead to panic.
The hack needn’t be sophisticated to be effective
Reports since the hack have said that malicious code was injected into the British Airways website to cause the data breach and access customers’ data. According to RiskIQ the malicious script consisted of just 22 lines of code. The same type of code was used to access the Ticketmaster website. Hackers just need to spot one weak element in the construction of your business' site to make a breach and steal data.
If you are worried about your business’ data security – talk to an expert
Some reports single out the problem being that BA outsourced its IT capabilities to India. There is nothing wrong with outsourcing or using in-house teams but are you confident that you have the right experts that can shield you from the latest hacking strategies and tactics out there?
Can you prove that you have done what your regulator expects of you with regards to network security? Have you protected every possible entry point into your business and your supplier businesses? Some bigger companies certainly don’t get it right.
Call us today on 0208 0880 671 for a free no-obligation security scan for your entire business. We’ll assess your strengths and internal policies.