[FDOS_UK]

Despite failing to protect 380,000 sets of personal data, including payment card information and home address, there is a stunning silence from BA.

Last year, the IT meltdown resulted in long extensions for BAEC members (which I didn’t agree with, by the way) and EC261 compensation, but there is not even a gesture to the people who have had to change credit cards, arrange CIFAS protection etc. All they have offered was a 12 month Experian service, which would not work for me, due to it rejecting my previous address in Malta, as the post code would not validate.

No consideration for the lost time arranging new credit cards and the worry of fraud, which will go on for months, possibly years, as criminals bid for data so they can add more pieces to the identity jigsaw to make false applications for credit, ID documents, etc, nothing, nada.

To my way of thinking, this breach is much more serious than the IT meltdown, as it has caused potentially permanent damage to people and yet the company seems to feel that it was the victim, not the people whose data was allowed to be harvested.

I hope the ICO hammer them with a big fine and am glad that SPG Law are doing something for the affected people, so at least they will receive some gesture of recompense (even though we know that the lawyers are the ones who really benefit from class actions).

2 users thanked author for this post.

DerekVH, capetonianm

[FDOS_UK]

Just to put things into perspective, a contributor on Flyertalk recently received 100,000 avios for problems on 4 flights.

https://www.flyertalk.com/forum/british-airways-executive-club/1929313-ba-just-deposited-100-000-avios-into-my-account-problems-my-flights.html

But the people who had their personal details taken do not even get a personal written letter of apology from the CEO, when BA had a legal duty to protect that personal data.

1 user thanked author for this post.

capetonianm

[capetonianm]

One of my cards was compromised at the end of July (nothing to do with an airline) and the resultant mess, compounded by the unbelievable incompetency of the bank’s credit card division (NatWest) meant that I spent many frustrating hours on the ‘phone to them, has only finally been sorted out last week.

They paid me about £300 in compensation, but that really does not make up for time wasted and aggravation. If it had been my only credit card, I would have been in an even worse situation.

I feel very sorry for the victims of the BA hack and had I been one, I would have been on the bandwagon.

[Tom Otley]

[quote quote=896290]Just to put things into perspective, a contributor on Flyertalk recently received 100,000 avios for problems on 4 flights.

https://www.flyertalk.com/forum/british-airways-executive-club/1929313-ba-just-deposited-100-000-avios-into-my-account-problems-my-flights.html

But the people who had their personal details taken do not even get a personal written letter of apology from the CEO, when BA had a legal duty to protect that personal data.[/quote]

You can get 5,000 avios for the IFE not working !

[capetonianm]

Interesting analogy with very different numbers. I wonder what the ICO will consider an appropriate fine for BA’s data breach.

As an aside, it has come to my notice through professional contacts that some online travel agencies in the UK, and no doubt elsewhere, are still storing full CC details in a non-secure way in the GDSs. The exposure to risk is low, but it should be nil.

The operator of London’s Heathrow Airport has been fined GBP£120,000 (USD$156,500) by a UK data privacy regulator for failing to ensure that personal data held on its network was properly secured.

The Information Commissioner’s Office (ICO) fine was for a 2017 incident when an employee of Heathrow Airport lost a USB memory stick that was subsequently found by a member of the public.

The stick held 76 folders with over 1,000 files, some of which contained personal information including names, dates of birth and passport numbers of a number of airport employees. The data was neither encrypted nor password protected, the ICO said.

The person who found the stick viewed it before handing it over to a national newspaper which took copies of the data before giving it back to the airport operator.

The regulator said that although the personal data held on the stick made up only a small amount of the total files, it was particularly concerned about a training video which exposed ten individuals’ details, and the details of up to 50 aviation security personnel at the airport.

“Data Protection should have been high on Heathrow’s agenda. But our investigation found a catalogue of shortcomings in corporate standards, training and vision that indicated otherwise,” ICO Director of Investigations, Steve Eckersley said.

The ICO investigation found that only two percent of the 6,500-strong workforce had been trained in data protection.

Other concerns included the widespread use of removable media in contravention of the company’s policies and guidance, and ineffective controls preventing personal data from being downloaded onto unauthorised or unencrypted media.

Heathrow Airport said it had carried out remedial action when it was informed of the breach including reporting the matter to the police, acting to contain the incident and engaging a third party specialist to monitor the internet and dark web.

[FDOS_UK]

Interesting – that breach is pre GDPR, so the penalties could be much higher, now.

In this modern world, USB memory sticks are a nightmare – I have locked down (physically and by software) all the external storage ports on my laptop, including the USB ports and the SD card port.

All it takes is for someone to slip an infected device in and …..

The Heathrow episode shows that people disregard security policies, so locking them out (including colleagues) is the only way.

Also, if anyone asks to charge their smartphone from your laptop, beware, don’t do it without something like this

https://www.amazon.com/PortaPow-3rd-Data-Blocker-Pack/dp/B00T0DW3F8

Protect your data.

1 user thanked author for this post.

GivingupBA

[Swissdiver]

[quote quote=897396]Interesting – that breach is pre GDPR, so the penalties could be much higher, now.

In this modern world, USB memory sticks are a nightmare – I have locked down (physically and by software) all the external storage ports on my laptop, including the USB ports and the SD card port.

All it takes is for someone to slip an infected device in and …..

The Heathrow episode shows that people disregard security policies, so locking them out (including colleagues) is the only way.

Also, if anyone asks to charge their smartphone from your laptop, beware, don’t do it without something like this

https://www.amazon.com/PortaPow-3rd-Data-Blocker-Pack/dp/B00T0DW3F8

Protect your data.[/quote]

I won’t do it anyway! But I always carry a USB plug…

[MartynSinclair]

also be carful when using hotel / public copying machines. Most have hard drives and retain a copy of whatever has been copied…

[flier74]

It I really is interesting. I have been caught up in this and whilst on holiday have been advised of a number of fraudulent charges. I had to repeatedly call the Credit Card company to sort this mess out and faced several issues as the card then got cancelled and I had a number of hotel bookings made with the card which they wanted to see on checking in.

I am now trying to claim back call costs from BA. I had a copy and paste e Mail after nearly three weeks just saying they need receipts (obviously) but also PNRs and dates when I booked flights during the data breach period, not that they could look that up themselves it seems, given I am a Gold Card holder.

They still call it unfortunate and in the e Mail it’s a relatively low key issue to them.

In the meantime they also state they are not aware of any fraud as a result of this data breach, but I doubt I am the only one.

“Head in sand” springs to mind and I’ll ensure they will be aware that my card indeed has been used for fraudulent activities and see what they say. But I am not holding my breath apart from another “We are sorry” copy and paste e Mail.

It will be interesting to see if they will face any consequences of this massive data breach.

[Mark Caswell]

British Airways admits CVV data “potentially compromised” in hack

[Tom Otley]

AMEX is sending out reassuring emails…

[FDOS_UK]

To my way of thinking, although the numbers of potentially affected people is lower, this is very serious, because the exposure window was between April 21 and July 28 and BA did not report it within the 72 hours required by GDPR – in fact, I would assume it has only just been discovered during forensic investigation post hoc.

If this data has been left unsecured, without apparent awareness, then the next question is is there anything else they do not yet know about?

Having read the Cruzifer’s email, I cannot help being amused by the choice of words ‘criminal data theft’ and wonder what planet he lives on – is there a ‘non-criminal data theft’ in that parallel universe?

I would imagine that the fine coming BA’s way likely just got higher due to this latest announcement. I hope they get hammered ‘pour encourager les autres’.

Guess what? I made a reward transaction in this period, am just waiting to see if I am affected.

[stevescoots]

I received my Amex email a few hours ago, another for the file

[Author]

Posts