Any companies still complacent about the issue of cyber security have received a massive wake up call with the news that British Airways is the latest company to suffer at the hands of hackers.

It’s easy to think that big companies with deep pockets would have their IT fully secured and hack-proof.

The UK’s largest airline shows this is certainly not the case.

Though they have revealed little details on their shocking data breach, BA announced that sensitive customer data has been stolen from its website.

It is believed to include credit card details for 380,000 passengers who booked flights between August 21st and September 5th this year. That means that the name, card number, expiry date and security code for each person fell in to the hands of hackers.

BA’s sobering experience

British Airways was quick to reassure passengers that anyone outside those dates was unaffected and that the problem was rectified. It also said that such information as home addresses and passport details had not been leaked.

The airline also reported that anyone who is a victim of this serious hack would still have their flights securely booked.

Significantly, BA claimed that before its public announcement, it had personally liaised with each one of the 380,000 people affected. This included encouraging them to contact their credit card providers for instructions.

In a feeding frenzy on Facebook, some of those affected expressed dismay that they had either not been informed, or had received little or no help from credit card companies. Others were angry that they had been forced to cancel credit cards just before taking holidays and business trips abroad.

Apart from the huge PR nightmare this incident has caused, it is likely BA will face a hefty fine. Under the EU General Data Protection Regulation (GDPR) that went live in May, it could be up to 4% of their global turnover.

BA not the first, or the last

The fine will be imposed after an investigation by the Information Commissioner’s Office – the organisation responsible for policing the GDPR. It could well seek to make an example of BA, with its serious data breach coming so soon after the new legislation came into effect.

However, the first UK organisation to fall foul of the new laws was Dixons Carphone. The company fell victim to “unauthorised data access”, affecting 5.9 million payments and 1.2 million personal records. This figure is staggering, but at the time the company was quick to point out there was no evidence to suggest the data illegally acquired had been used for fraudulent purposes.

The size and magnitude of data breaches since GDPR – possibly due to data scrapping from websites – suggests that the new legislation actually only masks long term frailties in the way companies gather and store personal data. Issues that have yet to be resolved, and could inevitably lead to even more high profile leaks to rock consumer confidence.

Such is the size and complexity of modern day data security, some have even referred to the GDPR as “closing the barn door after the horse has bolted”.

Learning from past mistakes and stopping future ones

What can companies do? Not just to pay lip service to data management compliance, but to actually make sure their websites are secure now. And that they continue to be secure in the future.

It certainly involves investing in the right tools and expertise to protect yourself from careless mistakes or the most determined hackers.

As well as creating as many deterrents and delaying tactics as possible, organisations need to be able to detect cybercrime quickly. They need end to end visibility of all their data systems, around the clock. If you receive an early warning of a data threat, you can act quickly and decisively, rather than having a PR disaster to clear up.

Technical Surveillance & Counter Surveillance Measures

There are reports that BA’s recent data breach came to light when one of the company’s external security measures kicked in and someone flagged up the leak. This is likely to be one of the company’s TSCM - Technical Surveillance & Counter Surveillance Measures – proving its worth.

This is one of the most vital steps to take in building robust cyber security measures. It can simply involve having access to external expertise to constantly audit and test your site’s data security systems.

In some cases, it involves the use of professional, validated hackers. If they can spot flaws and gaps, so can criminal hackers!

Having counter surveillance measures in place to prevent cyber crime is commercial common sense. Nor is it something that only big companies can afford.

1st Call Detectives offers a range of data security, encryption and privacy services, including TSCM. For a free no obligation quote, contact us.

So instead of “flying by the seat of your pants”, we can make sure your data management is grounded in the latest cyber security measures.