Data Breach Chronicles – A Tale Of Two Strategies

Brought to you by GeoLang Ltd and SOLA Group Ltd.

The recent breach of British Airways’ clients’ personal and financial information made headlines around the world. Initially it was believed that hackers had access to the financial and personal information which British Airways’ customers proffered to the BA website for two weeks between the 21st of August and the 5th of September. British Airways originally estimated that the Payment Card Information (PCI) of 380,000 clients had been compromised. This number was later revised to approximately 244,000. However, they later discovered that another 185,000 clients’ PCI had been breached in a separate incident. BA, in compliance with the newly-enforceable European Union GDPR legislation, alerted its customers. The only way the hackers had access to the client data was through the website. However, the cards or payment methods used were obviously breached.

Of course, no organization enjoys suffering a data breach. Aside from the major fines which can be imposed by the ICO, the threat of possible class-action lawsuits, and the general chaos which a data breach can cause; not to mention, one of the worst aspects of a data breach – reputational damage it causes. To customers, it seems to demonstrate weakness, and disrespect; to shareholders, leadership problems and incompetence. But sometimes, the organisation should not be the one shouldering the blame. Because of the interconnected nature of websites, apps, and the Internet of Things, a cyber symbiosis has developed between many different apps. For instance, many people log into various mobile apps using their Google account. This allows the user to have a much easier, more efficient, and more enjoyable experience moving between the different applications, which reflects well on all of the organisations involved. However, the seamlessness of this experience is also a major threat to online security. Should there be a data breach of one of these apps, there is no intermediating barrier between them, so the information that is used in all of them is compromised.

Revolut is a kind of multi-denominational wallet – it enables its users to easily transfer money between currencies and to pay for goods and services. When the British Airways data breach was made public, Revolut immediately began to compile a list of their users who may have been affected by the breach. They publicized the breach independently of British Airways, then blocked all online transactions made by the cards and also “terminate[d] all virtual cards that were used on the BA website or app during the affected timeframe”. Although not at all to blame for this leakage of their customers’ data, Revolut made a proactive effort to ensure that their customers’ finances were not violated. These actions minimized the extent of the initial damage of the British Airways hack for Revolut customers.

Revolut then created a means for the users who had been breached to obtain a new Revolut card free of charge via their app, and also prepared a support helpline affected users could contact. On the evening that the news of the breach broke, Revolut both texted and emailed their affected customers and, by that stage, was fully prepared to completely deal with a large volume of affected customers. They also continue to have a landing page on their website which guides those customers who were affected by the breach, who had maybe missed the Revolut correspondence, to freeze their accounts. Although the initial breach was not Revolut’s responsibility, they believed that they had a duty to their customers and acted to resolve a potentially catastrophic data leakage. Although British Airways was obviously to blame for the initial leak, Revolut, in taking charge of the events afterwards, ensured that its customers were kept apace of events. Also, by immediately terminating the virtual cards, Revolut minimized the risk of customers’ money being spent or used by bad actors. As one of their customers, Aaron Kiely, said on Twitter “What other card company reacts like this. Well played Revolut, well played.”

Another recent breach resulted in very different customer reactions. On Sunday 22nd of April, many TSB customers found they were unable to access their accounts. This was expected, as there was a network upgrade scheduled. However, some customers were not aware of this disruption to their service, meaning that they were confused and stressed by suddenly being unable to access their bank accounts. Aside from this, many of the disruptions persisted long after the scheduled interruption. Several customers discovered that they had incorrect sums in their accounts, and only 60% of those affected were able to contact a customer services representative. In this quarter alone, TSB has lost 16,000 customers. What really rubbed salt in the wound was the fact that this was not a third party breach- TSB had brought it upon itself. Paul Pester, the then-CEO, was forced to step down and Jon Yeomans wrote in The Telegraph that TSB “still has its head in the sand”. Through its own poor communication, lack of foresight, and inability to react quickly, TSB cost itself customers.

In short, by making every effort to protect their customers’ data, Revolut truly earned their customer loyalty and protected their customer brand. A truly inspirational tale!