380,000 Card Payments Compromised In British Airways Breach

Earlier today, British Airways said credit card information of at least 380,000 customers have been "compromised" in a data breach that occurred between August 21 and September 5. The information stolen includes customer names, email addresses, home addresses and payment card information -- but not travel or passport details. Sky News reports: In an email to affected customers, BA said: "We're deeply sorry, but you may have been affected. We recommend that you contact your bank or credit card provider and follow their recommended advice. We take the protection of your personal information very seriously. Please accept our deepest apologies for the worry and inconvenience that this criminal activity has caused." The breach has been "resolved" and the website is "working normally," it said. In a statement, the airline added: "We have notified the police and relevant authorities... [and] will continue to keep our customers updated with the very latest information. We will be contacting customers and will manage any claims on an individual basis."

Re:And that should be really expensive for them

But likely this will not cost them a thing.

That is far from reality, to process, transmit and store card data, a merchant is contractually required by its acquiring banks to comply with the PCI DSS (Payment Card Industry Data Security Standards), this is a self-regulatory scheme created and ruled by major card brands. When such an incident happens usually it hurts companies pretty bad because the following things happen:

- You need to engage with a PCI forensic company (PFI) that has been approved by VISA/MC, and you have 5 days to do that. We're talking about probably 20-30 companies worldwide and they know this is not really an option for you and that you must move on quickly, so they won't hesitate to charge you 300-500 USD per hour. They assess the extent of the breach, the number of accounts compromised and whether or not this was because you were not complying with the PCI requirements.

- If it turns out to be the case, you will have to pay non-compliance fines. This ranges between 10,000 and 100,000USD, but this is usually the least of your worries. (These fines are imposed by card brands to acquiring banks and then passed onto the merchant)

- Merchants are then liable for the costs issuing banks incured to remediate the breach. The big part of these costs are about re-issuing cards and recovering fraudulent charges made on compromised cards. This depends on the volume of the breach, the average cost is somewhere between 3 and 4 million USD but when this happens to large merchants, we're more talking about tens of millions. (the range is quite large but we're talking about 30-100USD/card)

- Merchants are responsible to notify each impacted customer individually

- Before being able to process payments again, you will have to demonstrate to your acquiring banks that you are now compliant and able to prevent future security breaches. This means getting your (or external) security experts fully focused on that

- Reputational damage is to be considered, the loss of customer confidence will most likely have an impact the sales