Working on a number of cyber security accounts, a serious data breach always makes for a hectic day, as we act as the go-between connecting journalists to our clients, who help explain what happened and why.
Late last Thursday evening (6 September), British Airways announced that it had suffered a serious, sophisticated cyber attack, leaking information about 380,000 transactions – including customers’ personal and financial data.
From a communications perspective, the breach was interesting on a number of levels.
Let’s start with the response from British Airways. The first thing to note is that the company acted quickly. According to the airline, the breach was discovered on Wednesday evening, and the team quickly investigated the extent of the attack before reporting the situation to authorities and announcing the breach to customers on Thursday. This puts it well within the mandated GDPR time frame of 72 hours. Secondly, the company also took full responsibility, even saying it was committed to compensating all customers who were affected financially by the breach. Thirdly, the company put itself in the public eye and made itself available. Customers were alerted over email, the CEO was forthcoming – appearing in a number of TV interviews, and BA even took out apologetic advertisements in Friday’s newspapers.
In spite of all that, British Airways still came in for harsh criticism from customers. Many were disgruntled that they first heard about the breach on social media or the news, and some felt the guidance they received from the company (essentially, just to contact their bank and follow their advice) was insufficient. The situation was made worse by the fact that this is the latest in a string of incidents for the airline, including two IT outages that seriously disrupted flights over the summer, and 2,000 customers having their tickets cancelled because an error meant the sale prices were too cheap. Many online commentators questioned how long BA can claim to be the “world’s favourite airline”.
And it wasn’t just the BA team facing a crisis comms event on Friday morning. Banks and card issuers also found themselves under fire, as many customers struggled to get through to customer support, who were experiencing high volumes of calls. Once again, Monzo separated itself from the crowd, quickly identifying all affected customers and issuing new cards immediately. More on Monzo’s previous steller form in dealing with a cyber attack from my colleague Tom, here.
So what we can learn, and what can companies do better? British Airways did a lot right but they still got penalised – by the public, if not by regulators (yet). Ultimately, this reflects a trend of decreasing consumer tolerance of cyber attacks. BA joins Ticketmaster and Dixons Carphone in suffering a data leak in just the past few months – three major brands with hundreds of thousands of customers. You’d have been lucky not to be affected by one of the three, and the onus is almost always on the customer to protect themselves in the aftermath. In my opinion, this is where British Airways fell down. While they were public, and present, they failed to offer a concrete solution for the affected customers, which increased feelings of abandonment and concern. Of course, it’s no simple thing coming up with a solution to stolen credentials, but action works better than advice, which is why Monzo did well.
Communication and cyber security are actually more closely interwoven than you might think. Failure to properly communicate a breach can affect stock price (BA’s owner IAG was down 3.1 per cent by Friday morning), can result in harsher legal action from regulators, and ultimately could cost a company customers. As a result, brands are increasingly including PR into incident response plans (the technical term for how a company copes with a breach once it has happened). This latest breach will have many companies tightening their security further, and adjusting their comms plans too.