Image: International Airlines Group Image: International Airlines Group
BA has been plunged into crisis over its IT system yet again, this time it’s theft of customer data, including personal financial data, that’s involved.

It’s May 2017 and the BA boss Alex Cruz said: “We absolutely profusely apologise.”

September 6th 2018, and he is at it again, this time saying “We are deeply sorry.”

In between those dates, BA had to cancel flights to Middle Eastern destinations such as Dubai and Tel Aviv, after a pricing error. But at least the company said “We have apologised.”

Back in 2017, it was a systems failure, leading to cancelled flights, and a plunge in the parent company’s (IAG) share price. This time, there is no sign of any cancelled flights, customers don’t need to change travel arrangements, they simply have the small matter of financial data being stolen, leaving possibly as many as 380,000 customers having to contact their bank, and have new card numbers issued.

It is being presented as if the fact that passport or travel details weren’t stolen is good news — no need for customers to worry that details of when they are going to be away is out there. They merely have to worry about stolen bank card details.

After the incident of cancelled flights, BA said it had made a gesture of good will. It is interesting to speculate on what good will gesture it might make this time.

Maybe the UK’s privacy regulator, the ICO, will make one on its behalf. IAG’s turnover in 2017 was €22,972 million. The ICO can theoretically fine a company up to four per cent of turnover — that’s not far off a billion euros.

This does not mean the fine, if indeed there is a fine, will be anything like that level. It depends.

With or without a fine, BA will have a bill to pay — it has said that “every customer affected will be fully reimbursed and we will pay for a credit checking service.” That won’t be cheap.

Breaches are inevitable. In the case of this latest incident, it was down to criminal activity by hackers, leading to a theft that IAG has reported to the press. BA may be guilty of errors, which may spawn fines, but the real villains of the piece are the men or women behind the theft.

BA said: “We have notified the police and relevant authorities. We are deeply sorry for the disruption that this criminal activity has caused.”

And on the hack itself, Mr Cruz described it as a “very sophisticated, malicious attack.”

There are lingering concerns, however. Mr Cruz won his spurs at budget airline Vueling, where he made his mark by slashing costs.

And the big boss, Willie Walsh, top honcho at IAG used to be known as ‘Slasher Walsh’, when he cut jobs at Aer Lingus, the airline he once presided over.

Just because the top men at IAG and BA have a reputation for cost cutting, it does not mean that one can put these failures at the company down to penny watching. Determined criminals might well have hacked into the system if the IT budget had been double the level it was.

The suspicion though is that the decision by BA to outsource hundreds of IT jobs to India’s Tata Consultancy Services in 2016 did not help.

After the computer meltdown in 2017, observers accused the company of failing to learn from failures at rivals. 15 months later, it is tempting to conclude it hasn’t even learned from its own errors.

Article originally posted on GDPR Report