Counting the cost of the BA cyber hack
Airlines are about trust, loyalty, safety. Not just in the air, inflight, but on the ground – and increasingly on the ground before and after their flights. So when you find out that your payment data has been hacked after buying a ticket on one of the world’s most trusted airlines – British Airways – that trust can disappear in a second. Airlines suddenly look vulnerable – and that’s not a good message or image for their relied customer base. Increasingly all of us – commentators or customers – can see that airlines are a ripe target for hacking – they are exposed to vicious threats on the cyber security front. Why? For starters they hold a huge amount of passenger data (regardless of payment/credit card details/transaction data).
I was at Aviation Festival last week when the story broke. Ironically it was an executive in a major insurance broker for cyber security that shed light on the topic – mainly because he was a victim of the hack. He showed me the inane email that British Airways had sent out in the early hours to the 380k passengers whose credit card details had been stolen. He was not impressed. And I don’t blame him. I wouldn’t be either. It was a very ‘beige’ email to the effect that the breach had been ‘resolved’ with a few cliched statements like ‘we are very sorry’ ‘You may have been affected’ through to ‘contact your bank’ and signed off with ‘deepest apologies (about this) …. Criminal activity’. And to cap it all, it encouraged victims to ‘visit our website – ba.com’. So to summarise, a single email which offered no hotline number to phone for advice, no live chat facility, just a visit our website suggestion. There was no mention of compensation. This was at 2.30am on Friday 7th September. This customer (who showed me the email) said he liked the BA app and found it very convenient but it was ‘bad to lose passenger details.’ I had seen on broadcast news the night before, a fairly benign interview with BA chief executive and chairman Alex Cruz. But he hadn’t really addressed the anxiety and the range of issues that were erupting. This is a new area of risk for airlines and a developing area for exposure – they need to be insured against not only hacks but crashes – but putting a value on that – i.e. a price for insurance is difficult. Insurers recommend airlines have their own disaster recovery strategy especially to cover computer forensics. And remember the BA crash last year anyone? When an engineer pulled the ‘wrong plug’ out of a wall socket and sent the entire operating system into meltdown? That reputedly cost BA in excess of £80M. Yes, £80 million! (probably more) Notwithstanding human error, data breaches to airlines are increasingly common. A sinister consequence of cyber attacks are ‘extortion’ or ‘ransomware’ such as the one that hit the NHS last year. In the airline scenario this would play out something like the following: passenger data is hacked and grabbed, the entire system shuts down, airline officials are presented with blank screens with an extortion demand for money with the threat that if the sum is not paid, the passenger data will be released. This is a high value disruptive ‘market’ – one source puts the potential cost to the aviation industry at $6 trillion by 2021. When airline revenues are estimated to be $754bn globally, this is a truly staggering threat. And the problem for the afflicted airline in the grip of a crisis, as BA was over the weekend (and still is), is that passenger memories, like those of an elephant, are long – extremely long. So for BA although the issue has been ‘resolved’ and it is business as usual, there could be an additional price to pay. We have yet to see the impact to the BA brand from this nasty abdominal shock to the airline’s core value of trust. Not to mention the huge costs in compensation and potential fines from regulators.