As if the airline industry didn’t already have enough to worry about, with a 90% drop in traffic due to COVID- 19 and the ongoing threat to business from quarantine measures around the world, Easyjet is now the latest to report a huge data breach.
According to news bulletins, some 9m customers’ details have been hacked and the credit card details of a minority ‘accessed’ in what the company described as a “highly sophisticated cyber-attack”.
Similar major incidents were reported in 2017 by Delta Airlines (personal and payment information of 825,000 customers) and in 2018 by Cathay Pacific (9.4m passengers’ details stolen, including passport numbers, email addresses and expired credit card details) and British Airways (personal and financial details of 380,000 customers compromised), which underlines how valuable a repository of personal information they represent for those intent on stealing it.
Just like hotel chains and car rental companies, airlines have some of the largest customer databases in the world, with personal data stored for future use for bookings and loyalty programmes including travel information and preferences, passport/social security no. details (including date of birth), addresses and credit and debit card numbers – all of which can be monetised in various ways by the hackers or those they sell the information on to.
For people with high credit scores, a full stolen identity profile (social security no., birth date, full name etc.) can sell for as much as $80. The value of stolen credit card details rose by as much as 83% between 2015 and 2018 according to Armor, to between $5 and $75 per card – the higher value being for card details including CV2/CVV number and personal information, allowing the stolen card to be be used for online purchases too.
So the financial implications of such a data breach for an airline (or indeed any other kind of merchant) is very serious indeed, including reputational damage, the cost of re-issuing cards, compensation for any financial losses to customers as well as providing free access to credit reports from credit agencies for them to check that credit isn’t taken out in their name.
The fines and knock on effects of compliance and regulatory failure can be eye-wateringly high too. The advent of GDPR in Europe (and for those with EU customers elsewhere in the world) leaves organizations open to fines of up to 4% of turnover in the case of a data breach, as British Airways found to its cost when the UK’s Information Commissioner fined them a record £183m in 2019, with a fine of £500,000 applied to Cathay Pacific.
Similar privacy legislation emerging in the USA (such as California’s CCPA in 2018 and the New York Privacy Act which has been tabled) and Australia’s recent CDR are all turning up the pressure around the world.
And the card brands themselves ( Visa, Mastercard, American Express, JCB International & Discover) have their own PCI DSS regulations which require merchants to protect customers’ credit card details, with oversight from the global Payment Card Industry Security Standards Council which they set up (and of which Syntec is a participating member organization). They may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations which the banks will most likely pass on until it hits the merchant, as well as potentially terminating the relationship or increasing transaction fees.
Trying to stay one step ahead of hackers and cybercriminals is of course a nightmare for both organizations and individuals alike, with large companies and consultancies often looking for ‘black hats’ (hackers) to convert to ‘white hats’ to help them protect sensitive data and personal information. There will certainly be plenty of experts trying to help the airline industry protect itself from these criminals, just as they are trying to get their aircraft back in the air and revenues flowing again.
If we can at least help them with our CardEasy payment security solutions, designed to stop payment card numbers being stored or stolen in the contact centers where their flight bookings are taken, then they know where we are.