British Airways has been responding to a serious data breach which has exposed customers’ personal and financial data, and trying to make amends. But vulnerability of data systems is nothing new, and all travel companies—airlines and others—are prime targets.

The breach affected transactions both on ba.com and on the British Airways app, which launches a web portal to complete bookings. The airline has date-stamped the first breach event as 22:58 BST August 21, 2018, through to 21:41 BST September 5, 2018, inclusive.

News of the breach made headlines in the morning of September 7 after the airline posted an advisory on September 6. In this case, British Airlines has been far more transparent about data exposure than other brands.

British Airways has advised all customers who fear that they might be affected to contact their banks and credit card companies. The airline has also notified the police and authorities of the breach.

It is estimated that about 380,000 card payments may have been compromised, but the breach was limited to financial data and did not include itinerary or passport details.

Alex Cruz, British Airways’ Chairman and Chief Executive Officer apologised to customers saying, in a prepared statement:

“We are deeply sorry for the disruption that this criminal activity has caused. We take the protection of our customers’ data very seriously.”

Cruz also told the BBC’s Today programme that the airline was “100% committed to compensate” affected customers. “we will compensate them for any financial hardship that they may have suffered.”

News of the BA breach comes soon after Air Canada alerted customers of “unusual login behaviour” detected on their mobile app. The attack affected approximately 20,000 customers between August 22 and 24 of this year. However, the airline succeeded in blocking attempts, locked out accounts with suspicious activities and reinforced its cyber protections. Air Canada said that customer credit card data was not at risk, in this case.

But cybersecurity will continue to be an issue for all brands—in travel and beyond—not just airlines. The alarms have been sounding for years, including the Hilton Worldwide Holdings data breach of credit card data for more than 363,000 of its customer in 2015. The company agreed to pay $700,000 in a settlement of the case in 2017.

In 2016, a breach of Uber data exposed about 25 million people, including 4.1 million drivers. The company took a year to admit that its systems had been compromised and the company also paid hackers a “bounty” to destroy stolen data.

Managing a breach quickly and well, if it happens, is critical to preserve brand reputation and to manage liability. In this sense, British Airways has handled the crisis well.

Speaking to a question on the British Airways breach during last week’s Aviation Festival London, Emirates President, Sir Tim Clark, emphasised that all companies need to be vigilant and hire experts to search for possible vulnerabilities.

“This is not peculiar to the airline industry and BA has had a dose of bad luck in the past couple of days. We know that. If you see the cyber attacks going on in multiple areas—whether they be the educational establishment, government institutions, arms..security..whatever it might be—there are people who will continue to prove what they can do regarding their ability to interact with these systems. In this case BA, and others that have come up.

“So what do we do about that? Well, as we go down this digital transformation, and as we rely more and more on information technology to drive all the ways and methods that we interact with our consumers..the way that you go about building your IT infrastructure is to be sure that you have some kind of internal digital [tracking] methods. So that when viruses appear, and when people hack you, you are alerted to it. That’s what we’ve done.

“[Have the cybersecurity team work] with people who are very qualified in that area…There are many people out there who can come onboard and trial what they can do to take you down and to compromise what you’re doing. The fact is that if you don’t spend time and money on it, you’re going to be critically exposed..Of course, with the customer-facing businesses like ourselves who have trillions of terabytes of data about people—GDPR notwithstanding—we are hugely exposed so we really have to do better. And we will.”