What can we learn from the BA data breach?

Having spoken extensively in the past about what could happen to businesses and consumers in the wake of a data breach post-GDPR, we are now able to see the fallout.

British Airways (BA) has warned that around 380,000 card payments on its website and through its app were compromised between 21st August and 5th September. This is the first high profile data breach since the GDPR came into effect in May. BA could potentially face fines up to $650m (£489m) but in reality, this may just be the start of the airline’s concerns.

In the immediate aftermath after the announcement of the breach, shares in BA’s owners IAG slid by 4%, which is a market value loss of $684m (£528m.) This is without any losses that could be incurred through consumers choosing not to do business with BA and the cost of compensation. In short, there is a strong possibility that the financial cost could run into the billions.

What is just as concerning for consumers is how such a breach could happen. Whilst we currently do not have a definitive answer, there are clues. BA’s CEO reported that names, email addresses, credit card numbers, expiration dates and the three digits [CVV] code on the back of credit cards were stolen. It’s against PCI DSS to store the CVV number, which suggests that card details were intercepted during the payment process rather than being taken from storage systems. What this highlights is that it’s not just the storage of credit card details which should be of concern. For example, many contact centres still use compensating controls for taking payment over the phone, such as pause and resume. This stops sensitive credit card information from being stored, but it does not stop them being heard, written down and potentially stolen. Solutions such as Agent Assist work by ensuring that no sensitive credit card data enters the contact centre environment.

For any consumer facing business, these findings should serve as a stark warning to ensure that they are implementing online and voice payment security measures, or face negative, and potentially long-lasting revenue and reputation consequences. With data breaches still on the increase, it’s time for a change in mentality around cyber security. Rather than trying to keep the hackers out, businesses should be focusing on encrypting what data they have and where possible ensuring there’s no data for them to take in the first place.


Get in touch with one of our experts to discuss the benefits of descoping your contact centre now.

The post What can we learn from the BA data breach? appeared first on PCI Pal.

*** This is a Security Bloggers Network syndicated blog from Knowledge Centre – PCI Pal authored by Geoff Forsyth. Read the original post at: