I was midway through my British Airways holiday, finishing lunch in a rather nice hotel off the coast of Miami when I received a BBC News notification on my smartphone, announcing that thousands of British Airways customers’ details had been stolen in a malicious hack. It probably won’t affect me, I thought as I polished off the last mouthful of a rather delightful Mississippi mud pie.
However, some 30 minutes later, when I went to pay for said meal and my card was rejected I logged into my banking app and was presented with an urgent warning, telling me that to prevent any possible compromise to my account, my card had been cancelled and a new one was going to be issued and dispatched within the next 7-10 days.
Fortunately, I had another account I could use but it quickly made me realise that for some people, without access to other funds or a secondary account – whether their details were compromised or not – using their card to pay for their BA holiday could have quickly led to financial embarrassment.
I was relieved and impressed that my own bank had acted so quickly – although I would have perhaps appreciated some warning – but frustrated that a trusted brand like British Airways could have been so easily duped.
In this digital age, security of customer data – the data these companies are so desperate to harvest and control – should be the single most important thing they protect. If I willingly allow an organisation to have my data I expect them to look after it.
I put my savings in a bank because I believe that the bank will keep it safe.
Every penny. Every pound.
I expect corporations who hold my data to protect that data in exactly the same way. Even more so because the theft of my funds means I only lose my money and insurance can usually cover that. But the theft of my data – who I am, where I live, my intimate details – are irreplaceable and no level of insurance can protect me if someone chooses to use my identity for unscrupulous means.
My observations on the matter of cyber-security lead me to believe that big business is not doing enough to protect the information we entrust to them. They are complacent, thinking it will only ever happen to the “other guy”. The problem is that these days it is happening more and more frequently to every “other guy”.
So in the case of British Airways, how was any of it possible to start with?
Technical details have been hard to come by but there are suggestions from cyber-security experts that someone was able to infiltrate their website with a script that allowed them to grab all data at the point of entry. This has to be the only way they were able to take possession of the CVV numbers as this information is (should) never be stored by companies.
In effect, they were siphoning them live from the website. The fact that BA was also very specific about the times and dates between which the attack occurred – 22:58 BST on 21st August 2018 until 21:45 BST on 5th September inclusive – only corroborate the theory.
Which means anyone who made a card payment on their site or through their app between those two dates is probably at risk of having had their details stolen.
Time and time again big business allows these breaches to occur and on every occasion, they react too late. Companies like British Airways should be called to account, heavily fined and reminded that the systems holding our information need to be constantly monitored and assessed for vulnerabilities.
Otherwise, it is little better than double-bolting the front door but leaving the back one wide open.