British Airways is investigating a case where the credit card details of around 380,000 customers were stolen from its website in a hack.
This happened over a period of two weeks and the company has urged the affected parties to contact their respective banks.
All this happened between August 21 and September 5.
The statement released by the airline indicated that the stolen information did not include travel or passport details but only personal and financial details.
Though the breach has since been resolved and the airline's site is back running normally, data that was stolen in the breach has reportedly headed toward the dark web-where those responsible for the hack will sell it at a profit.
This is the second IT disaster to hit British Airways in recent years. In 2017, the airline's data center was hit by a major power surge.
This data theft is however the most serious to hit a U.K. company and thereby affecting the company's reputation.
The airline and its parent company, IAG (International Airlines Group), have however denied allegations that the hack was due to their decision to outsource their IT operations.
The National Crime Agency is aware of the breach and it would be teaming up with the airline and other partners to find the best solution.
The Information Commissioner's Office has urged the affected customers and those who think they could be affected to change their online passwords and monitor their bank accounts.
It is important that the airline moves quickly to solve the issue and secure customers' information.
Reports indicate that shares in IAG dropped by 1.5 percent after news on the breach broke earlier this month.
This attributed to £120 million (or over $157 million USD) being wiped off the stock market by investors.
The Hack
In its official statement, BA maintains that only personal and financial data was stolen and that this only affected customers between August 21 and September 5.
A few speculations have been made on how the hack took place. Richard Walters, the CTO of CensorNet, suggests that the hackers compromised a flaw in the software on the British Airways website.
This would enable the hacker to intercept messages-including financial data that was stolen-and they would copy data as it was relayed to the IT center.
This is, however, just a speculation and the full details on how the hack took place could be out in a few months on conclusion of the investigation by the National Crime Agency.
Leigh Anne, a cybersecurity expert at Positive Technologies, says that the theft could not be detected immediately until a buyer acts and that anyone who thinks they could be affected should keep tabs on their transactions.
This advice was also recommended by the U.K. National Cybersecurity Center in a published guidance for those affected by the hack.
What the Affected Should Do
Around 380,000 customers were affected by the 15-day breach with their personal and financial details stolen.
British Airways has since taken responsibility and has been working to contact all the affected clients.
It has urged them to contact their banks and credit card providers concerning the issue.
Even those who have not yet detected any changes in their accounts are advised to change their passwords.
On the issue about compensations, British Airways has stated that customers who lost out financially will all be compensated.
The chief executive of BA, Alex Cruz, has apologized to the clients who were affected and has pledged to compensate those affected by fraudulent account transactions.
He also assured clients that the company would expand its services and customer care.
The company has also calmed its customers that the issue has since been resolved and that their website is back online and they can book their flights normally.
However, this breach being the biggest on a U.K. company, British Airways' reputation has been dealt a huge blow.
The company is working to convince its customers and possible new clients that that new future bookings will not be affected.
British Airways has since sent an email to the regular flyer program, assuring them about the security of their personal data.
The Investigation and Possible Consequences
Any company should build a strong system to prevent cases such as hacking and data leaks to other parties.
If the investigation concludes that the airline was negligent in protecting customers' data, then it could face hefty fines.
The details stolen included CVV codes, credit card information, names and email addresses.
CVV numbers are very important when doing online payments as they are the final step of the transaction.
Due to this, BA could face data protection fines for allowing the exposure of clients' CVV details.
Overall, the stolen information was estimated at about £21.5 million.
This was according to the estimation of the credit card details on the dark web at £56.50 each.
If it is determined that BA failed to protect customers' data, then they would face a class-action lawsuit.
The investigation would try to determine if the company had measures in place to prevent a breach of the company's website.
If this is not the case, they would be subject to worth hundreds of millions of pounds if found guilty of not having sufficient measures to protect client data.
This is under the European Union's new General Data Protection Regulation (GDPR), which was introduced back in May.
It seeks to ensure that companies put up the best cybersecurity systems to protect private customer data and information.
Under this regulation, a company could face a penalty of up to 4 percent of its annual sales or £20 million, whichever figure is higher.
This means that if British Airways is found guilty of breaching these regulations, it could face fines of up to £489 million (or more than $642 million USD).
However, if it is determined that IAG is at fault, then the fine could rise to a high of around £825 million pounds.
U.S. law services giant Sanders Phillips Grossman (SPG) says it has plans to initiate a £500 million lawsuit against British Airways if it did not settle with the affected clients.
SPG states that close to 400,000 people were in distress or inconvenienced by the security breach and that British Airways should compensate all the affected.
