Turbulent times
British Airways data breach suggests a need for change
Spare a thought for Glenn Morgan, the embattled “head of digital transformation” at BA’S parent, IAG. As he mops up the mess after another IT disaster at the world’s favourite airline this weekend, he’s unlikely to be enjoying a restful Saturday with friends and family.
Then again, neither are many of the 380,000 anxious victims of a cyberheist last month in which hackers spent 15 days plundering the personal and financial details of BA customers before anyone noticed.
It’s no surprise Mr Morgan has a lot of explaining to do – to customers being kept on hold as they wait to speak to their credit card providers, to pucefaced shareholders – and to IAG’S notoriously direct chief executive, Willie Walsh.
Nor is it the first time Mr Morgan and Alex Cruz, BA’S chief executive, have been on the back-foot over the airline’s dozy handling of its IT systems.
In a relentless drive to squeeze out costs and compete with Ryanair and Norwegian, the airline hasn’t been content with tossing the free sandwiches and booze from its in-flight trolley service or cutting down on legroom.
Mr Morgan, a 20-year BA veteran whose Linkedin page says he “holds a Black Belt in Six Sigma and is a specialist Lean practitioner”, has been busy wielding the axe.
He and his team have overseen dramatic change to the group’s IT systems. After pruning hundreds of in-house specialist IT jobs at BA it then signed a huge outsourcing contract with Tata Consultancy Services (TCS), the Indian IT giant, in 2016.
At the time BA said: “IT services are now provided globally by a range of suppliers and this is very common practice across all industries and the UK government.”
That’s undoubtedly true, but it’s fair to say that for BA not all of those innovations have gone entirely smoothly. After all, the outsourcing of complex, mission-critical IT systems for a consumer-facing, global airline to a fragile web of third-party providers can be a perilous affair.
In May 2017, an IT meltdown triggered by a power outage at Heathrow prompted BA to cancel flights affecting 75,000 people over the bank holiday weekend.
Then, just over a year later in July, another network crash blamed on a “supplier IT system” caused dozens of flights in and out of Heathrow to be cancelled.
Whether or not this latest cyberhack was the direct result of costcutting or something else is not yet clear – but it doesn’t look good for Mr Morgan or Mr Cruz.
The initial hack on Aug 15 was bad enough but the company’s failure to spot anything was amiss for 15 days was unforgivable.
Somebody had their eye off the ball and it’s hard to see how one of them won’t lose their job over this.
At least BA can be thankful for one thing – its decision to shelve an ill-conceived marketing campaign a few years ago dubbed “Ungrounded Thinking”.
Back in 2013, BA organised what it described as an “11 hour in-flight hackathon” packed with Silicon Valley software programmers from San Francisco to London.
As they brainstormed for fresh ideas to encourage more young people to learn science and engineering, while high above the clouds, BA sought to use the event to bolster its credentials as an innovative, technology-driven company.
It seems the stardust from the luminaries on-board from Google and Rocketspace didn’t settle on BA’S own IT department however.
All that brain-power might have been better spent brushing up BA’S in-house cyber-security. In hindsight,
‘There are only so many times a company can keep saying these things before they start to wear a bit thin’
it was probably lucky it didn’t turn the hackathon – an idea cooked up by its advertising agency Ogilvy – into an annual affair.
This sort of corporate guff is risky at the best of times.
To have kept it going would have exposed BA to ridicule.
Either way, the email that arrived in BA customers’ email inboxes at 2.44am yesterday served up the usual platitudes offered up by companies that have been hacked:
“We take the protection of your personal information very seriously. Please accept our deepest apologies for the worry and inconvenience that this criminal activity has caused.”
It’s a message that sounds eerily similar to one sent out in May of last year by Mr Cruz. “We are extremely sorry for the huge inconvenience this is causing our customers and we understand how hugely frustrating this must be, especially for families looking to get away on holiday.”
In truth, there are only so many times a company can keep saying these things before they start to wear a bit thin.
Analysts think any losses will be covered by BA’S insurance but a hefty fine is looming none the less. The damage to BA’S reputation is likely to be worse.
Hacks and other IT problems are emerging as one of the biggest risks facing all international companies – but there are some such as TSB, Talktalk and BA – which seem to have emerged as repeat offenders.
The risk for these consumer-facing companies is higher in some ways than for less visible companies.
Miners, manufacturers and logistics companies suffer hacks as well – but the damage to their reputations among consumers is unlikely to be so severe.
Nevertheless, the fact is that BA urgently needs to sort out its IT systems. That means fresh leadership and fresh ideas. Time, perhaps, for some more grounded thinking?