British airways suffers massive data breach affecting personal information of 380,000 customers
September 11, 2018 |
Notwithstanding poor data security and inept regulation data breaches have a very significant impact on both reputation and bottom line, oftentimes one being tied in with the other. British Airways suffered a data breach, by means of a cyber attack by criminal hackers, sometime between 21 August and 5 September 2018 which compromised personal and financial information, being credit card details, of more than 380,000 customers. Unfortunately British Airways has been hacked before with its Executive Club being hacked in 2015.
Properly advised and motivated it is possible to contain the damage from a data breach, even one as large as that of British Airways. The key is getting out early and explaining what has happened, putting the breach into context (if possible) and offering help for those effected. It also involves having an action plan which brings in IT, legal, corporate and public relations. And probably insurance.
The British Airways response has been reasonable so far. It has taken out advertisements and contacted the police and the National Cyber Security Centre. And of course the Information Commissioner’s office has been made aware and is investigating.
The reality of data breaches as big and high profile as British Airways is the likely comprehensive media coverage. That can have a massive impact on the company. Reuters reported on the data breach on 6 September 2018, and British Airways apologised on Friday about the breach which occurred over a 2 week period. The Guardian is running with the story as is the BBC.
The latest update by British Airways was on 9 September 2018 which stated:
We are investigating, as a matter of urgency, the theft of customer data between 22:58 BST August 21 2018 until 21:45 BST September 5 2018 from our website, ba.com and our mobile app.
The stolen data included personal and financial details of customers making bookings and changes on ba.com and the airline’s app. The data did not include travel or passport details.
The breach has been reported to the authorities and our website is now working normally.
We advise any customers who believe they may have been affected to contact their banks or credit card providers and follow their advice.
British Airways will not be contacting any customers asking for payment card details and any such requests should be reported to the police.
We understand that this incident will cause concern and inconvenience. We have contacted all affected customers to say sorry, and we will continue to update them in the coming days.
What to do if you have been affected
If you believe you have been affected by this incident, then please contact your bank or credit card provider and follow their recommended advice.
Please be aware that we are experiencing high call volumes into our contact centres, please continue to check this page for the latest information.
Phishing
Customers should also be aware that fraudsters may be claiming to be British Airways and attempt to gather personal information by deception (known as ‘phishing’). See below for more information on how to validate that the email you have received from us is genuine.
Meanwhile in Australia on Monday night the 7.30 show had a piece on a series of data breaches by banks. The ABC uncovered the breaches through Freedom of Information applications. The most serious of the breaches reported was of a Westpac manager handing over the banking passwords of 80 customer accounts. Other breaches included Esanda losing files containing names of customers and a NAB employee doxxing customer addresses on Facebook. Given the spread of data breaches across a range of financial institutions it is a cause for concern. What is interesting and, unfortunately, not surprising is that the banks approached the Information Commissioner but there has been no discernible action taken in relation to these data breaches. Unlike overseas information comissioners and other regulators the Australian Information Commissioner works in the shadows. That suits those who breach quite well.
In relation to the Westpac breach its spokesman said:
“We engage regularly with the OAIC and proactively report certain suspected data breaches,”
That statement says it all. Engaging with the regulator is not not only notifying but using the regulator to minimise any action. Unfortunately given the long history of non action it is reasonable to infer that the Commissioner has been co opted into a comfortable arrangement where those affected by a breach notify the regulator, the regulator goes through the motion while feeling like it matters, the exercise is completed with a sign off and both parties get what they want; the organisation doesn’t suffer enforcement action and can point to compliance and the regulator can say that it has been busy and can add an investigation to its tally for the Annual Report. Of course the regulator avoids taking the more difficult but ultimately more effective course of issuing proceedings and making public the nature of the breach.
No reputational impact. It also harms the regulation because there is no message to the market that failures in complying with the Privacy Act has consequences.
The ABC story on line provides:
A Westpac manager handed over the banking passwords of 80 customer accounts to a mortgage broker, giving them direct access to personal bank accounts in a serious breach of customer privacy.
It is one of a catalogue of 32 breaches Australia’s four largest banks disclosed to the Office of the Australian Information Commissioner (OAIC) between January 2012 and April 2018 that were obtained by 7.30 under Freedom of Information laws.
Westpac reported 18 privacy breaches to the privacy watchdog, NAB reported nine, the Commonwealth Bank reported three and ANZ reported two.
A spokesperson for each bank told 7.30 they take customer privacy seriously.
The revelations have emerged as the banking industry is under significant scrutiny from the financial services royal commission, and amid a broader global debate around privacy triggered by how social media giants are using personal information.
7.30 can reveal the Westpac employee who handed over the banking passwords of 80 customers to a mortgage broker is former relationship manager Marten Pudun.
In July 2018, the Australian Securities and Investments Commission (ASIC) permanently banned him from engaging in credit activities for knowingly or falsely giving false documents to Westpac to help his clients obtain home loans.
No system is 100 per cent secure, but Signal can be used to protect your identity. Please read the terms and conditions of the service to work out the best method of communication for you.
He declined to comment to 7.30 and is no longer a Westpac employee.
The company’s notification of the incident to the OAIC in July 2017 stated: “We initially identified this with respect to some Westpac customers who obtained home loans through this particular mortgage broker group and relates to temporary passwords established when the customer originated their online banking.
“While our investigations into the breadth of the issue is ongoing, we have currently identified around 80 customers that we believe may have been impacted and we are beginning a process of contacting them.
“A (now former) Westpac employee appears to have re-set the passwords of customers and provided the temporary reset password to employees of the mortgage broker group.”
The bank wrote that it had not identified any unauthorised transaction activity at the time of the notification.
Westpac employee accessed former spouse’s data
The documents obtained by 7.30 reveal other serious breaches at Westpac where other employees misused their access to sensitive customer information.
In April 2017, a Westpac employee accessed the account and transaction information of about 15 customers, including a number who appear to be public figures.
The disclosures state the records included “other individuals … who are known in the public domain”.
Police were notified about the breach and the staff member no longer works at Westpac.
In August 2017, another Westpac employee inappropriately accessed the banking records of their former spouse, as well as another customer.
The company told the privacy commissioner: “We are also making an ex gratia offer to both customers to reflect the seriousness in which we are handling this matter.”
A Westpac spokeswoman said the bank “takes the protection of its data and privacy extremely seriously”.
“We engage regularly with the OAIC and proactively report certain suspected data breaches,” she said.
“When we make mistakes, we make sure we put it right by remediating affected customers, informing all relevant authorities, making process changes to prevent similar incidents, and where necessary, taking disciplinary action against employees who are found to have done the wrong thing in accordance with our Westpac Group Code of Conduct.”
NAB employee ‘doxxed’ customer’s address on Facebook
Other Australian banks reported similar types of breaches.
In January 2013, an NAB employee entered into a Facebook dispute with a member of the public about the shooting death of children in Sandy Hook in the US in December 2012. The employee then set up a fake Facebook persona and “revealed the address of the owner of the online posts”, according to the bank’s correspondence with the privacy commissioner.
The documents state the employee resigned before any action was taken against them.
A spokeswoman for the bank said: “If people at NAB break the law or breach the code of conduct, there will be consequences. If our people do the wrong thing, we will hold them accountable and will take the right action.”
“As this act by the employee conflicts with NAB’s Code of Conduct and Social Media Guidelines, NAB commenced its disciplinary and investigative process. During this time the employee in question provided their resignation and is no longer with NAB.”
The data breach was described by the chair of the Australian Privacy Foundation, David Vaile, as an attempt to “doxx” a banking customer.
Doxxing is a phrase used to describe a conscious attempt to humiliate or cause harm to a person by deliberately posting sensitive information about them online.
“The bank said they took that information down off Facebook,” Mr Vaile said.
“But it’s gone, it’s permanent global publication, you can’t get it back. And for the bank to think that was enough, that in itself shows that they didn’t appreciate the potential range of problems in that particular instance.”
Other documents show more traditional sorts of data breaches.
In August 2015, ANZ’s car loan subsidiary Esanda lost a box of files containing the names, customer identification documents, conversation records and financial information of 23 customers.
The bank offered to write off the amount owed by all affected customers, totalling $368,000, “and offered to reimburse impacted customers the cost of a 12-month credit alert subscription service”.
An ANZ spokesman said in a statement: “As these cases highlight, we take appropriate steps to minimise any actual or potential impacts and proactively notified the Australian Information Commissioner even before the introduction of mandatory data breach requirements.”
Several other breaches reported by Westpac reveal technical issues with new tap and pay technology.
In December 2017, some customers who signed on to Westpac’s new tap and pay wearable banking software found they could see other customers’ banking details on their wearable devices.
The bank said “a customer advised us last week that they were able to see displayed pre-populated data of another person … The pre-populated data included BSB and account number, account balance, email address and masked residential address”.
Banks must now notify customers of serious breaches
Up until March 2018 it was voluntary for banks to report privacy breaches to the information commissioner.
One of Australia’s leading privacy law practitioners, barrister Michael Rivette, told 7.30 he expected to see far more revelations about breaches, and a greater focus on litigation in Australia.
“One of the fastest growing areas of litigation in America, and it’s starting here now, is privacy class actions,” he said.
“So a bank may find themselves as a defendant in a privacy class action, where the class of the individuals is seeking compensation or redress.
“If a breach is likely to cause serious harm to the individual then they have to be reported.”
Banks must now notify the OAIC and customers where there is a likely risk of serious harm resulting from the breach.
The documents show a small number of mandatory reports made by the banks in March and April 2018.
The OAIC’s first quarterly report shows the banking and finance sector had the third largest disclosure of data breaches, with 13 per cent of reported breaches.
Health service providers made 24 per cent of the notifications, and legal and accounting services made 16 per cent of reports.