Crisis Case Study: British Airways bold data breach response
By Michelle Wang and James Fitzpatrick
It’s one of the world’s largest airlines…with a very large customer database. On September 5, British Airways discovered their database had been hacked, with credit card and personal information from 380,000 British Airways travellers compromised.
The pressure was on British Airways to protect their brand and reassure their customers and they nailed it with a transparent and bold response.
From August 21 to September 5, a foreign entity hacked into the airline’s database, securing personal and financial information from hundreds of thousands of customers. That information came from both their online transaction and booking system as well as the British Airways app.
They notified the police and began their own internal investigations.
The investigation revealed an attack by a sophisticated hacking group. Although no passport information was obtained, some experts have likened the situation to online card ‘skimming’ by copying credit card data as it was entered into the online booking system.
Despite the IT incident creating an initial whirlwind of discussion and insecurity for customers, British Airways and their CEO Alex Cruze took control, settled the situation and limited the media storm.
After notifying the appropriate authorities, British Airways contacted every affected customer within two days.
The company then openly addressed the media with CEO Alex Cruze using simple, empathic and transparent language in an interview with the BBC:
“[We are] deeply sorry… We know that the information that has been stolen is name, address, email address, credit card information.”
In a bold move, Cruze appeared on the BBC’s breakfast news program live, answering even the toughest of questions.
Additionally, British Airways told worried customers to check their transaction history if they purchased flights in the period of the hack, stating that they were 100% committed to returning lost funds to customers who had been affected.
A new era in crisis management
The multi-million dollar aviation company managed this information data breach in a way that has been commended by many across the world.
Traditionally, a company’s crisis communications plan may have simply involved ‘sweeping things under rugs’ and hoping the story never gets out. Spokespeople are often criticised for seeming to avoid responsibility or providing ‘non-apologies’ (sorry not sorry), and providing long-winded answers that dance around the truth.
From our experience, it’s becoming clear that customers, employees, and the media are getting tired of this approach. On the most part, people are willing to accept that mistakes happen – and that even the most robust security system can get hacked. What they want to know is that you’re taking ownership of the problem and doing something about it.
British Airways’ response was exactly that:
Here’s the extent of what happened
We’re sorry that it happened
Here’s what we’re doing to fix it
Here’s how you can be compensated
Taking full responsibility and agreeing to compensation is a difficult decision to make but the alternative (loss of customer and stakeholder faith for the foreseeable future) could be much worse in the long run. If nothing else, your team should at least consider this approach as an option.