5 things airlines can do to prevent incidents like the British Airways data breach

by | Jul 9, 2019

Credit card theft

The headline that caught the attention of the Aviation world today was: ‘British Airways Faces Record £183 Million Fine over Data Breach’. The approximately $230 million fine was slapped on the airline by the Information Commissioner’s Office (ICO), the UK’s data protection agency. Data privacy and data protection are taken very seriously in that part of the world ever since GDPR laws came into effect last May. To put the fine amount in perspective, it amounts to 1.5 percent of BA’s global revenues in 2017. It could have been far worse for BA if the fine was higher.

But why did this happen in the first place?

BA admitted that its systems were hacked last September, and that hackers had stolen personal and financial details from 380,000 of its customers who booked tickets between August 21 and September 5. This data includes names, postal addresses, zip codes, email addresses, contact details and sensitive card payments details.

While operations were not impacted in this incident, BA’s reputation and trust among loyal customers certainly took a beating. And it isn’t going to be easy to win back that trust.

Our View

We’ve heard about similar incidents in the banking, hospitality, and retail industries. Remember the T.J. Maxx incident? And the Marriott-Starwood data breach? Oh yes, lots of banks get hacked, but few incidents are reported in the media.

What can the airline industry learn from all these incidents?

Here are 5 things they should be doing:

  1. Cost-cutting measures should not impact and should never compromise data security systems. Aviation companies need to keep on investing in the protection of data assets. That means system upgrades, infrastructure modernisation, and compliance with security standards.
  2. The airline industry holds on to legacy infrastructure, and continues to use decades-old IT systems. If traditional systems are not secured, that could be a weak link in the chain. The security of legacy infrastructure also needs to be strengthened.
  3. Airlines need to worry not just about the security of internal systems, but also about all the systems in the ecosystem. That includes systems of cloud service providers, ISVs, ISPs, and other solution providers.
  4. They must do an audit of all systems and also that of their partners. Do they comply with standards like PCI-DSS and other security standards? One can do penetration testing and engage the services of ethical hackers to test the security of systems. Impose heavy penalties on partners, suppliers and everyone who ties into the network. And make sure all this is mentioned upfront, in SLAs and contracts.
  5. Airlines must treat their customer data as an asset, and protect that data like one would protect their crown jewels, trade secrets, and intellectual property.

Beyond fines and compliance, we think there is something more important for the industry to think about. What is the value that they place on customer data? Competition is thick and customers have options. So airlines need to work hard on building trust and loyalty. As custodians of their customers’ data they need to do everything they can to secure it. One cannot be “penny-wise, pound foolish” when it comes to spending on data security.

Share This Article!

Brian Pereira
Brian Pereira
Brian Pereira is an Indian journalist and editor based in Mumbai. He founded Digital Creed in 2015. A technology buff, former computer instructor, and software developer, Brian has 29 years of journalism experience (since 1994). Brian is the former Editor of CHIP India, InformationWeek India and CISO Mag. He has served India's leading newspaper groups: The Times of India and The Indian Express. Presently, he serves the Information Security Media Group, as Sr. Director, Editorial. You'll find his most current work on CIO Inc. During his career he wrote (and continues to write) 5000+ technology articles. He conducted more than 450 industry interviews. Brian writes on aviation, drones, cybersecurity, tech startups, cloud, data center, AI/ML/Gen AI, IoT, Blockchain etc. He achieved certifications from the EC-Council (Certified Secure Computer User) and from IBM (Basics of Cloud Computing). Apart from those, he has successfully completed many courses on Content Marketing and Business Writing. He recently achieved a Certificate in Cybersecurity (CC) from the international certification body ISC2. Follow Brian on Twitter (@creed_digital) and LinkedIn. Email Brian at: [email protected]
Recommended Posts
The First 90 Days Are Crucial for the CISO and CIO

This book arms you with insights into crafting a robust 90-day plan, and you’ll be well-equipped to catapult into CIO or CISO roles successfully. Beyond technical proficiency, the book instills survival skills, ensuring longevity and helping you prevent burnout in these pivotal positions.

Similar Articles