That BA Breach
Amongst my emails this morning came a missive from British Airways:
" ... the personal and financial details of customers making or changing bookings at ba.com, and on our app were compromised"
Why BA feel the need to use the Oxford comma incorrectly, I know not. Though a bit of a bug-bear of mine, that is not the reason for this piece. Unless of course, they had slipped a split infinitive or two in there, just for fun.
Getting back to the matter in hand, the email was addressed to "Dear Customer" not to myself on a personal level; from this, we may deduce that the email is a round robin, rather than a message alerting specific people to specific events. Lastly, the email places the burden on myself to check with my bank or credit card company.
We need also to look at the wording. "Compromised"? What does that mean? The definition of "compromise" is manifold (as is "manifold"!) the nearest version would be: "To expose or make liable to danger, suspicion, or disrepute" There is nothing dangerous about my bank account. You are more than welcome to my overdraft; but I would feign hope that it is neither suspicious nor an object of disrepute. Let's be truthful, here: "stolen" is the word that is sought.
That BA had a data breach is regrettable though in all fairness, most sizeable firms have to fight a running battle against hackers and so forth. No doubt, at this very moment, there are those launching full scale assaults against Government websites as well as major online retailers. It is not that it happens, it is the response after it happens that matters.
As an agent, I often use airline websites to settle the provision of extra bags and seating arrangements. It is quicker and easier than using the GDS route of issuing an EMD. More than often, I use the client's card (yes... with their permission) as it saves the process of using our agency card, along with any resultant charges. So, I do not know what may have been stolen and from whom. I know not about you, but I would have trouble trying to ascertain what I had purchased with what over the last two weeks.
People can (or should) accept that for any large business, it is a case of a constant battle between themselves and, perhaps, some of the planet's most accomplished hackers. So, what should one do?
1. Be honest. Do not let the marketing types write any communications. If details are stolen, then they are stolen. Not "compromised".
2. Personalise emails as far as possible. If all financial data has gone (as opposed to just some) then the information must be made available to address those whom it concerns. There is no need to terrify the whole of civilisation. Let people know exactly what data has been stolen, not some vague epithet such as "financial".
3. Do not just tell clients what they must do. Your customers did not create the problem, therefore it should not be incumbent solely on them (or at all, really), to fix it. Explain what the firm is doing now and what they propose to do in the future.
4. Offer a helpline that is adequately staffed. Just giving the URL of some web page makes it seem like nobody cares.
5. Have mechanisms in place to identify which cards have been stolen and arrange for the cardholders to be addressed directly, as quickly as possible. There is enough talk about who owns the customer along with systems designed to garner as much information as possible about customers; use that information for other reasons than simply asking if a customer wishes to buy a bun on their flight to wherever.
6. Be clear about compensation, if appropriate. How a customer may respond and/ or make any claim (yes, that bit can be achieved online), what information is required and (perhaps) offer a base amount, for the amount of time a customer would have to spend trying to recover lost funds or just generally having cards changed or simply having to spend a good few hours calling credit card firms and banks..
The above suggestions are neither exclusive nor all encompassing by any means. The point is, a round robin, telling customers what they must do, is not enough. Further, there is a need for any firm to recognise the seriousness of the event and that is not achieved by using woolly marketing-speak.
There is a saying which any follower of Bill W will recognise: "When you are wrong, promptly admit it". It is a first step.