Travel agents say an unprecedented data breach at British Airways shows the value of booking through the trade but is a wake-up call to the risks that cyberattacks pose.
Agents’ clients were unaffected by the hack, which hit 380,000 direct customer transactions made on BA’s website or via the airline’s app between August 21 and September 5, 2018.
Clients’ credit card details are not usually passed to airlines in the booking process. Customers pay travel agencies, which pay airlines via the Billing & Settlement Plan.
Bailey’s Travel owner Chris Bailey called on the trade to capitalise on the opportunity to promote a positive message about booking through agents.
“If you booked through an agent, this would not have affected you,” he said. “We struggle getting this message across.”
Haslemere Travel managing director Gemma Antrobus said: “It’s another reason for clients to book via an agent.”
Julia Lo-Bue Said, Advantage Travel Partnership managing director, said: “With anything this high-profile, it is up to agents to reassure people it is safe to book. It helps demonstrate their value.
Claire Moore, manager of Peakes Travel Elite in Shrewsbury, urged agencies to bolster cybersecurity.
She said: “We work with a local IT company and I’d recommend others do the same.”
A criminal inquiry is being led by specialist officers from the National Crime Agency. The Information Commissioner’s Office (ICO) is carrying out its own probe.
BA could face legal action from passengers and a fine of up to £489 million from the ICO which, if issued, would be the first under the new GDPR.
Cyber experts said the breach should serve as a warning.
Independent cyber consultant Bruce Win said: “It’s a wake-up call – it could have happened to anybody. If you are a travel agent, you let people into your shop but you don’t let them into your back room. Look after your ‘cyber hygiene’.”
Barry Gooch, chairman of industry anti-fraud group Profit, said free or economical software was available to help companies protect data. “Companies don’t have everything in place they should and there are legacy systems out there that need upgrading,” he said.
Lo-Bue Said said cybercrime is a threat to the entire industry.
She added: “The attack on BA shows we all have to make sure our processes are robust.”
Warnings came as cybersecurity firm RiskIQ claimed to have discovered a malicious ‘skimming’ script injected into BA’s website, which it says could have stolen financial data.
Yonathan Klijnsma, head researcher at RiskIQ, said: “This skimmer is attuned to how British Airways’ payment page is set up, which tells us that the attackers carefully considered how to target this site in particular.”
BA did not comment on RiskIQ’s findings.
Reports today suggested that the hack could have been prevented and carried out by a group linked to Russia that also carried out a similar raid on Ticketmaster.
How to prevent a cyber attack on your business
• Ensure your business has a good firewall. Install anti-virus/anti-malware software which is kept up to date.
• Obtain a Secure Sockets Layer (SSL) certificate. This encrypts data passed from one computer to another to keep it secure. When installed to the server it activates a padlock and allows secure connections from a web server to a browser.
• Implement software to detect, block and prevent spoof emails, including: Sender Policy Framework (SPF), Domain-based Message Authentication, Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM), as well as Domain Name System (DNS); a database of malicious activity online.