Executive Summary
Information security management plays an integral role in the performance of every organization. In the era of advanced development of information technologies, numerous companies have become attractive victims of hackers in terms of customers’ information. British Airways, as a noticeable member of the airline industry, actively integrate the collection and processing of personal data to improve the passengers’ experience and enhance performance. As a result, the company experienced several data breaches that had substantial effects on the business and the stakeholders. British Airways had significant financial losses in the penalties due to the last violation in 2018, following the provisions of the new GDPR. It is critical for the company to implement new information security management strategies and policies, to involve top management in protection measures’ development, increase awareness, and provide the customers with the most effective security level.
Introduction
Information technology advancements and the integration of numerous services that require the users to provide personal data impose challenges for organizations in terms of security and protection. Data breaches and violations represent significant risks for the companies in terms of their image, reputation, and potential financial losses. Due to the high stakes, security awareness becomes “the most important factor that mitigates the risk of information security breaches in organizations” (Safa, Von Solms, & Futcher, 2016, p. 15). Consequently, different businesses have a threat of breaks in the data security system, which implies the necessity of rigid and thorough information security management. British Airways is an example of a large company that has severe data security issues, which had a critical impact on the organization and the consequences of which it is still bearing. The purpose of this paper is to analyze the fundamental principles and practices of information security management within British Airways, considering the requirements for managing digital data. Below you can see the outline for the paper.
- The description of personal data collection and processing within the airline industry organizations.
- The history of the information security breaches at British Airways.
- A thorough investigation of the 2018 data breach at British Airways and its implications for the company.
- Information security risks at British Airways and the significance of proper protection measures within the organization.
- Recommendations to integrate to improve data security management at British Airways.
Big Data as Top Priority
British Airways is operating within the airline industry that portrays the field with substantial usage of personal data due to the nuances of the industry’s primary activities. Every airline is seeking to improve the services to the customers, which motivates them to utilize big data technology in the operations (Chang, Ji, & Arami, 2019). In such a way, the companies in this type of business aim to optimize existing services, such as booking, searching for flights, or payment options, making them more satisfying to customers. The statistics show that 61% of the airline companies’ CEOs view big data as a “top priority” because collection and assessment of information are crucial for the improvement of customers’ experience (Chang et al., 2019). Hence, the airlines gather and analyze the passengers’ data, which makes the companies within this industry the huge producers and storages of individuals’ information.
British Airways Data Breaches History
British Airways became a target for hackers, as an attractive source of information because, today, data represents one of the most valuable assets. First, the company had a program for frequent-flyers that offered bonuses and privileges for loyal customers. The problem occurred in 2015 when the frequent-flyer accounts were hacked, and British Airways became the victim of the breach, along with such companies as Lufthansa and United Airlines (“Global data leakage report,” 2015). Another critical incident occurred to British Airways in 2017, when the disruption of the information system caused the cancellation of hundreds of flights, resulting in substantial financial losses (Spremić & Šimunic, 2018). Besides those information security issues, one of the most considerable problems became the breach of 2018, connected to the payment cards, which resulted in a severe scandal for the company (Foulsham, 2019). Consequently, it is possible to state that British Airways experienced several breaks in data security and protection, which imposes critical challenges for the organization and highlights the need for rigid regulation.
The fact that British Airways went through several breaches and disruptions highlights the necessity of strict information security management in the company. The work of the data protection department, similar to the work of other departments within such a large organization, often relies on the key objectives and mission of the business. After the redefinition of its mission, vision, goals, and values in 1997, British Airways decided to focus on the competition challenge, the desires of the customers, and the employees’ demands (Karami, 2017). The paragraphs above mentioned that the aim to provide the best experience to the customers motivates the airline companies to use big data analysis. In such a way, intending to meet and understand the client’s needs and preferences and to overcome harsh rivalry within the industry, British Airways needs to collect and process data. Moreover, with a substantial volume of information coming into the company’s possession, it is critical to have robust security and protection measures.
2018 Data Breach
At this point, it is crucial to investigate the data breach of 2018, which had a significant influence on the company’s finances and image. The approximate numbers show that the information about more than 400,000 reservations completed between the last week of August and the first week of September was stolen during the breach (Murugesan, 2019). The data provided to the airlines can include specific financial information and personal facts, which makes it valuable to cybercriminals. During the attack of 2018, the stolen data consisted of names, addresses, passport numbers, e-mails, and payment card details (Murugesan, 2019). This event represents a severe information security violation, which implicates that British Airways did not manage to protect the data and follow all rules that aim to eliminate related risks.
The fines imposed for the business follow every information security breach, which becomes a result of ineffective data protection. With the GDPR implementation in 2018, the financial losses for the companies in case of security violations have significantly increased. As a result, the Information Commissioner’s Office (ICO) issued a notice that it intended to fine British Airways for more than £180 million for breaking the GDPR provisions (“Intention to fine,” 2019). It is possible to say the breach placed information of numerous passengers at risk, imposing a potential threat to their personal and financial security. The ICO investigated the breach and found that the data “was compromised by poor security arrangements at the company” (“Intention to fine,” 2019, para. 4). Consequently, British Airways failed to protect its passengers’ data, violating their privacy rights.
Thus, British Airways did not manage to provide an adequate security level to its customers, which essentially deterred the company’s image and reputation among the stakeholders. The ICO’s investigation also concluded that the hack involved the redirection of the customers to the fraudulent site (Calder, 2019). With the rapid advancement of information technologies, it can be challenging to keep up with the website updates, which can lead to severe issues. Besides, the Information Commissioner stated that “when you are entrusted with personal data you must look after it”, implying the failure of British Airways to protect their customers (Calder, 2019, para. 19). As an airline business that actively uses customers’ data, the organization has to be ready for the external threats and risks, and the events of such substantial breaches emphasize the inefficiency of information security management.
It is crucial to take a look at the fine imposed on British Airways one more time. With the introduction of the GDPR that came to the arena to replace the Directive, the financial penalties for the companies that violate data security have significantly increased (Houser & Voss, 2018). According to the GDPR, in severe cases of data violations, the authorities would have the right to fine the organization for up to 4% of the global turnover (Houser & Voss, 2018). The paragraph above mentions that the fine for British Airways constituted almost £200 million. According to the IC, the imposed punishment does not reach 2% of the company’s turnover, and British Airways CEO believes that the penalty is unfair because they responded to the incident immediately (Calder, 2019). Thus, the data breach happened in this airline company after the integration of the GDPR, which led to substantial financial losses for the business.
Information Security Management at British Airways
Hence, British Airways needs to reconsider the information security management principles to address possible threats and ensure personal data safety. According to Karyda (2017), information security represents “a major challenge for organizations due to the proliferation of digitalisation and constant connectivity” (p. 28). Consequently, British Airways has to understand the necessity of placing data protection measures in the first place among the priorities. Possessing an understanding of the importance of the issue can help to generate required strategies and effective tactics to improve the situation. Besides, it is integral to remember the technological advancements that do not necessarily provide more effective protection (Karyda, 2017). Thus, following the standard programs and policies and integrating new technologies might not be enough for the information security management in the company.
It is particularly critical for British Airways due to the incidents that the company has experienced and the recent statements about the vulnerability of the electronic ticket system. According to the researchers, the links that British Airways sent for check-in to the customers were unencrypted, which makes them vulnerable to unauthorized parties (Narendra, 2019). This situation represents another risk for British Airways’ data breach. One of the solutions that the organization implemented was requiring explicit user authentication, and encrypting the links for the check-in processes (Narendra, 2019). Moreover, it is critical to remember to fulfill all the aspects of proper information security management. Every organization, always, should focus on preserving the principles of “authenticity, accountability, non-repudiation, reliability, and privacy from unwanted incidents” (Karyda & Mitrou, 2016, p. 64). Consequently, British Airways should continue dedicating its resources to strengthening data security management and carefully following the required principles.
Thus, British Airways needs to remember the critical aspects of information protection to utilize necessary improvement strategies. According to Peltier (2016), “information protection requires a comprehensive and integral approach” (p. 2). In other words, it is vital to undertake all of the stages, such as the initiation and analysis, risk analysis, and the investigation of potential impacts. It is possible to say that the most useful information security management system will go through the stages of the life cycle to create the most efficient protection measures (Peltier, 2016). Therefore, British Airways can consider re-evaluating the information security process within the organization and introduce a new model that will comply with the new GDPR requirements and will consider all possible risks.
Recommendations and Conclusion
British Airways, due to the history of information security violations, needs to consider the process of data protection rigidly. Some of the proposals for the existing information security management include the active support of top management because its involvement in the generation of policies concerning security can positively influence the effectiveness (Soomro, Shah, & Ahmed, 2016). Besides, it is critical to implement data privacy awareness as it can propose knowledge to the working team and expand the perception of successful security management. Another suggestion that applies to British Airways is the establishment of communication between the information technology managers and the risk analysts within the company (Soomro et al., 2016). Through collaboration, the professionals can get new insights and generate more influential security policies and strategies.
In conclusion, British Airways, as an influential organization in the airline industry, represents an attractive source of personal data for hackers and related security violations. Throughout the last couple of decades, the company has experienced several events of information breaches, which shook the business’s stability and reputation. British Airways must evaluate its current information security strategies and conduct a thorough analysis of the potential risks that it might face in the future. Rigid compliance with the GDPR policies, raising awareness among employees, involving top management, and working on strengthening protection measures will positively impact British Airways’ image and performance.
References
Calder, S. (2019). What is the British Airways data breach, and how does it affect passengers? Web.
Chang, V., Ji, Z., & Arami, M. (2019). Privacy and ethical issues of big data in the airline industry. In 4th International Conference on complexity, future information systems and risk (pp. 139-148). Heraklion, Greece: SciTePress.
Global data leakage report. (2015). Web.
Foulsham, M. (2019). Living with the new General Data Protection Regulation (GDPR). In M. Krambia-Kapardis (Ed.), Financial Compliance (pp. 113-136). Cham, Switzerland: Palgrave Macmillan.
Houser, K. A., & Voss, W. G. (2018). GDPR: The end of Google and Facebook or a new paradigm in data privacy. Richmond Journal of Law and Technology, 25(1), 1-70.
Intention to fine British Airways £183.39M under GDPR for the data breach. (2019). Web.
Karami, A. (2017). Corporate strategy: evidence from British Airways plc. In F. Analoui (Ed.), The Changing patterns of human resource management (pp. 46-64). New York, NY: Routledge.
Karyda, M. (2017). Fostering information security culture in organizations: A Research Agenda. In 11th Mediterranean Conference on information systems(pp. 28-38). Genoa, Italy: Association for Information Systems.
Karyda, M., & Mitrou, L. (2016). Data breach notification: Issues and challenges for security management. In 10th Mediterranean Conference on information systems(pp. 60-72) Paphos, Cyprus: Association for Information Systems.
Murugesan, S. (2019). The cybersecurity Renaissance: Security threats, risks, and safeguards. IEEE India Council Newsletter, 14(1), 33-40.
Narendra, M. (2019). Privacy: Further vulnerabilities found in British Airways cyber-security. Web.
Peltier, T. R. (2016). Information security policies, procedures, and standards: Guidelines for effective information security management. Boca Raton, FL: Taylor & Francis Group.
Safa, N. S., Von Solms, R., & Futcher, L. (2016). Human aspects of information security in organizations. Computer Fraud & Security, 2016(2), 15-18.
Soomro, Z. A., Shah, M. H., & Ahmed, J. (2016). Information security management needs a more holistic approach: A literature review. International Journal of Information Management, 36(2), 215-225.
Spremić, M., & Šimunic, A. (2018). Cybersecurity challenges in the digital economy. In Proceedings of the World Congress on engineering (pp. 341-346). London, U.K.: IAENG.