British Airways data hack: these events are happening too often

For free real time breaking news alerts sent straight to your inbox sign up to our breaking news emails

Sign up to our free breaking news emails

Please enter a valid email address

Please enter a valid email address

SIGN UP

I would like to be emailed about offers, events and updates from The Independent. Read our privacy policy

Here’s everything you need to have a whale of a time at someone else’s expense: name, address, credit card number, card expiration date, three letter security code.

The sophisticated and malicious hackers that targeted British Airways were able to get their hands on all those details, intercepting 380,000 transactions in total. They also picked up customers’ email addresses. Bonus!

They did not get their passport details or itinerary information. But that’s really not going to come as much comfort to those affected. It amounts to saying: “We’ve just hit you in the stomach, but here, have a paracetamol because it could have been worse.”

Except that it gets worse. Here’s another gut punch: the breach took place between 21 August and 5 September. So it was active for just over two weeks. BA was informed of it by “a third party”, thought to be another airline targeted with a high volume of attempted fraudulent transactions.

And here’s another: customers have been taking to social media, and the airwaves, to say they found out about this stuff not from BA but via the news media, Twitter and other outlets.

Some of those who were contacted received emails that landed in the early hours of the morning. If you’re like me you probably get a lot of guff in your inbox so something coming from a business at that time could all too easily get missed.

Faced with all this, the natural inclination of many people has been to attempt to cancel and replace their cards – forget the “watch your account and if nothing happens don’t worry about it” advice.

But that’s just left them with the frustration of dealing with another industry, banking, that takes a decidedly slapdash approach to customer service: “We are experiencing a high volume of calls at the moment. Please hold the line. Your call is important to us.”

A country that works for everyone, said Theresa May. Here is yet another example of the vast gulf between her rhetoric and everyday reality.

This latest incident comes just a couple of months after a major Ticketmaster hack and another at Dixons Carphone, the electronics retailer.

They all bear striking similarities: delays in the hack coming to light, poor communication after the event (I was caught up in the Ticketmaster occurrence and can testify to that), apologies from executives that sound less than sincere if you find yourself on the receiving end.

It really isn’t good enough.

The affair has hit the share price of BA’s owner IAG, which was trading down 3 per cent at the time of writing, good for £400m off the company’s market value. It’s important that investors have apparently taken the issue seriously, all the more so at a time when the company has been trying to repair its frayed relations with the people who fly with it.

But such falls often prove transitory.

The money required to compensate customers who lose out through fraudulent transactions is real and may have a meaningful impact on BA’s results. Shareholders, accustomed to the ups and downs of stock prices, will likely pay more attention to that, not to mention the potential damage to the company’s reputation.

What is troubling, however, is that I’ve been hearing people talk about such data breaches being “a fact of modern life”. That’s dangerously blasé, and provides a get out for companies that are failing to invest sufficiently in IT, and particularly in data security. How often have you seen IT mentioned in cost cutting plans? It’s worth noting BA’s mania for outsourcing at this point too.

Broadband provider TalkTalk was fined £400,000 after a serious cyber attack in 2015. It affected half as many customers as have been caught up in the BA event. However, for a company like IAG, even a penalty of double that would represent little more than a rounding error in its accounts. Businesses like it will only invest sufficiently if the consequences are sufficiently severe. Regrettably, it’s debatable whether even compensation costs running to tens of millions, and the horror and outrage of customers, are truly cutting it.

The regulatory and legal strings may need to get a lot tighter to truly get the point home.