The timing of a data breach is never perfect, however the reports that Eurostar had fallen victim to a data breach on Halloween ‘screamed’ irony.
All joking (and bad puns) aside, the news that some customers had their passwords reset because of a breach is concerning, and it’s the latest in a long line of data breaches to hit the travel industry. Cathay Pacific, British airways and Delta airlines have all made headlines in the past year alone. Millions of people have had their data stolen, including credit card information, so it’s hardly surprising that our own customer research found that travel is viewed as the second least secure industry behind retail. So, what’s different about this breach compared to the others? Eurostar were able to take a negative event and turn it into a positive, and one line of their official response stood out for us:
“We deliberately never store any bank card information, so there is no possibility of compromise to credit card or payment details.”
Being able to make this statement doesn’t negate that a breach has happened, but it goes a long way in limiting damage to both consumers and to the business. Looking on a comparative basis, the BA data breach hit the front pages of all the newspapers for days and their share price dropped by 4% (roughly £500m.) There were numerous reports of their customers having to cancel credit cards, and if cards have been fraudulently used they will have to pay along with facing any fines from organisations such as the ICO, which could be anything up to £500m. Eurostar on the other hand received very little press coverage and simply sent out password reset links to accounts they suspected were affected, and customers didn’t have to go through cancelling credit cards. Not only this, Eurostar will not have to worry about additional costs through cards being fraudulently used. Because they had taken positive steps to limit what data they stored, they controlled the damage before the breach had even occurred.
This is something we at PCI Pal have long advocated. Using the contact center as an example, solutions such as Agent Assist ensure no cardholder data enters the contact center environment. It’s not seen or heard so cannot be stolen. Given that 76% of data breaches are financially motivated and when comparing this data breach to others, businesses should seriously be considering whether they can afford not to descope.