It’s been a difficult few months for British Airways.
In May 2017 it was hit by an IT ‘meltdown’, resulting in thousands of stranded passengers and continued knock-on effects – with further glitches and delayed flights this summer. There was additional embarrassment when more than 2,000 customers had tickets cancelled because they were too cheap…
Now, it has suffered the further ignominy of being hit by a large-scale cyber-attack. In a statement the airline confirmed that around 380,000 payment cards had been compromised as a result of what CEO Alex Cruz called, "sophisticated, malicious criminal attack" on the BA website. The incident has already been labelled by some as a “PR disaster”.
Data breaches are, unfortunately, part and parcel of business (and personal) life in the modern world and, for most organisations, it is very much a question of when - not if - an incident occurs.
Very clearly, BA will have suffered further damage to its reputation following the events of the last 48 hours, having already taken a real hit in 17/18. The airline has already gone from being the number 1 brand in the UK Superbrands Index, to falling outside of the top 20. The impact of crisis incidents, and their effective handling, is all too clear. And for anyone still wedded to the outdated perception that ‘reputation’ is still just that bit too intangible to have a real impact on the bottom line, consider that BA’s parent company IAG lost almost £200m in share value following the May 2017 IT incident. It of course remains to be seen what the full impact of the cyber breach is (though IAG shares did drop around 3% at close of trading on Friday 7 September), with some of the effects likely to be longer term as customers assess BA’s effectiveness in responding to the incident and their efforts to rebuild any lost trust.
And this is the key point. ‘Crisis’ incidents will occur (and cyber breaches should be treated, practically, in exactly the same way as other incidents), and the imperative for brands is to, firstly, recognise this fact and prepare more and prepare deeply.
While all incidents are different by nature, doing the prep work, testing protocols, and developing robust plans and materials, is invaluable when it comes to rolling out a response in real life.
Secondly, when an incident does occur communications must be robust and transparent, and allied with factual proof points that illustrate the concrete steps taken to address the issue. Again, circumstances will dictate what messages are most appropriate and, in the case of a data incident for instance, there may be communications regulations – in terms of reporting and notifications – that brands must be mindful of.
To a large extent, BA should be applauded for their response so far - particularly regarding the speed of response, transparency in addressing the facts, and the visibility of the CEO who has been active across the print and broadcast media since the news broke.
Lastly, lessons must be learned from incidents and these must be applied to future preparedness and resilience work. Then the recovery period can begin, with strategic initiatives aimed squarely at recovering trust and repairing reputation.
In the case of BA, there could yet be more turbulence ahead before the rebuilding begins and the brand is flying high again.
Click here to learn more about Infinite Global’s Data Breach Response services.
(Updated to reflect IAG share price at COB 07/09/18)