The headline that caught the attention of the Aviation world today was: ‘British Airways Faces Record £183 Million Fine over Data Breach’. The approximately $230 million fine was slapped on the airline by the Information Commissioner’s Office (ICO), the UK’s data protection agency. Data privacy and data protection are taken very seriously in that part of the world ever since GDPR laws came into effect last May. To put the fine amount in perspective, it amounts to 1.5 percent of BA’s global revenues in 2017. It could have been far worse for BA if the fine was higher.
But why did this happen in the first place?
BA admitted that its systems were hacked last September, and that hackers had stolen personal and financial details from 380,000 of its customers who booked tickets between August 21 and September 5. This data includes names, postal addresses, zip codes, email addresses, contact details and sensitive card payments details.
While operations were not impacted in this incident, BA’s reputation and trust among loyal customers certainly took a beating. And it isn’t going to be easy to win back that trust.
Our View
We’ve heard about similar incidents in the banking, hospitality, and retail industries. Remember the T.J. Maxx incident? And the Marriott-Starwood data breach? Oh yes, lots of banks get hacked, but few incidents are reported in the media.
What can the airline industry learn from all these incidents?
Here are 5 things they should be doing:
- Cost-cutting measures should not impact and should never compromise data security systems. Aviation companies need to keep on investing in the protection of data assets. That means system upgrades, infrastructure modernisation, and compliance with security standards.
- The airline industry holds on to legacy infrastructure, and continues to use decades-old IT systems. If traditional systems are not secured, that could be a weak link in the chain. The security of legacy infrastructure also needs to be strengthened.
- Airlines need to worry not just about the security of internal systems, but also about all the systems in the ecosystem. That includes systems of cloud service providers, ISVs, ISPs, and other solution providers.
- They must do an audit of all systems and also that of their partners. Do they comply with standards like PCI-DSS and other security standards? One can do penetration testing and engage the services of ethical hackers to test the security of systems. Impose heavy penalties on partners, suppliers and everyone who ties into the network. And make sure all this is mentioned upfront, in SLAs and contracts.
- Airlines must treat their customer data as an asset, and protect that data like one would protect their crown jewels, trade secrets, and intellectual property.
Beyond fines and compliance, we think there is something more important for the industry to think about. What is the value that they place on customer data? Competition is thick and customers have options. So airlines need to work hard on building trust and loyalty. As custodians of their customers’ data they need to do everything they can to secure it. One cannot be “penny-wise, pound foolish” when it comes to spending on data security.
