British Airways: Data Breach (2018)
Who is British Airways?
British Airways is an airline company created in 1974 after its board was established by the British government. Originally British Airways were four different airline companies and later merged into one. It is the second-largest flag carrier airline of the United Kingdom behind EasyJet. British Airways began merging with holding companies in 2011 to obtain an international appearance. As the company is growing so is its technological advancements. This is great for a company that is expanding, but as they are continuing to grow and advance they do not seem to be taking the correct precautions when it comes to their security protocols. There have been occasions where British Airways have been under cyber attacks. Although they follow protocols for the aftermath of the attack they need to develop something that will eliminate or diminish the attacks.
Ethics Case Controversy
In the British Airway data breach details of passengers’ credit cards were stolen. In the summer of 2018, cyber criminals stole payment card details from approximately 500,000 passengers who bought flights on the British Airway website, app or through Avios. “The personal data comprised the passengers’ name, travel plans, billing address, email address, and payment card details, and the three-digit security code from the back of the card” (Calder). A code was injected on the British Airways website and app and for three weeks information was being stolen.
With British Airways being one of the largest airlines in the United Kingdom for them to experience a data breach means that millions of their customers are at the risk of having vital information stolen. It is reported that the British Airways are intended to pay a fine nearly $230 million for the data breach that occurred last year (Satariano). Under the European data protection law, this is the largest penalty against a company for privacy lapses. “Frustrated that businesses were not doing enough to protect people’s online information, European policymakers last year adopted a new law, the General Data Protection Regulation (GDPR)” (Satariano). Regulators are cracking down on companies like British Airways because these companies are not under standing the importance of keep their data protected. British Airways has had numerous incidence with data breaches, but they were not as big as the one they faced last year.
The main stakeholders in this controversy case are the 500,000 customers that got their information stolen through the hack. Out of those 500,000 some has to deal with financial burdens that the hack brought upon them. Even beyond the customers that had their information stolen are investors that are involved with British Airways. Even though this company is rapidly growing investors have to consider whether they want to keep investing in a company that is prone to cyber attacks.
An individualism theory looks to maximize a businesses profits. “Friedman held that it is the aim and responsibility of businesses to maximize their profits” (Salazar, 17). British Airways was responsible for maximizing their profits according to the individualism theory and although it is hard for a company to prevent a hack the company should have tried harder in doing so. Since British Airways did not act accordingly to prevent the attack they were acting unethically because the data breach resulted in a huge loss in profit, and it jeopardizes the relationship British Airways had with their stakeholders. Once a company has their information hacked civilians or other companies can obtain it and ultimately use it to their advantage. Their advantage could be numerous things such as using their information to get a competitive edge. What ever the use is this can be another way the company can loose money.
This theory analyzes a way to maximize happiness. This theory takes the side of the stakeholder and considers their overall happiness with the decisions that were made. In the British Airline case, their overall happiness it due to the lack of decision being made. This theory would view the British Airways case as unethical due to their lack of awareness in protecting their customers' information. “Utilitarianism tells us that we can determine the ethical significance of any action by looking to the consequences of that act” (Dejardins 29). The company’s attention should have been on maximizing pleasure and minimizing pain for the stakeholders. They not only caused pain for their customers, but they also are facing consequences by paying a 230 million dollar fine. Even though they were not the ones who orchestrated the cyber attack they are still to blame because they did not take the necessary protocols to avoid it.
The Kant theory states, "...it is wrong to manipulate, exploit, or use people to their own advantage" (Salazar, 21). Not only is this an important part of the theory, but the types of motivations that drives a decision is also a key aspect of this theory. There are three motivations this theory expresses and the one that British Airways does not follow is "the moral law or duty". British Airways had a duty to protect their customers’ information and they neglected to do so. Not everyone knows the risks of booking a flight online so the British Airline should have informed their customers that there is a chance that their information might be exposed to hackers. They would have lost many customers, but putting that information out there would allow customers to choose which would show that the company had good intentions.
The Virtue theory asks about a person’s character and assesses whether the person is virtuous. "act so as to embody a variety of virtuous or good character traits and so as to avoid vicious or bad character traits" (Salazar, 17). British Airways lacked in some of the character traits, but there were many traits that the airline company displayed that proved they acted ethically according to this theory. . Honesty, compassion, and care are some of the virtues this theory looks for when analyzing whether a person or company has a good character and this company exhibited those virtues. After the cyber-attack British Airways issued a statement stating that they were shocked that this happened. They had the option to hide this from the public as many companies in the past have done, but they chose to inform the public instead. They also provided financial support to customers who faced any financial burdens.
Justified Ethics Evaluation
In my opinion, I would say that the actions in this case was dealt with reasonably, and I would follow the virtue theory and state that British Airways acted ethically. What they did after the attack shows me if they valued their customers and was truly apologetic about what had happened. First, with the statement they issued about the cyber-attack. It was in a timely manner so people could be informed sooner rather than later. Second, they though to provide help to those who suffered from the cyber-attack. This was a well-played character move instead of a business move. If they thought solely about the business they would not feel the need to issue a statement informing their stakeholders about what happened, and they certainly would not pay their stakeholders for their loss. Taking their aftermath plan into consideration I would stand behind this company. It is hard to avoid an attack, but how a company deals with it can determine the company's success or failure.
Calder, Simon. “Everything You Need to Know about the British Airways Data Breach.” The
Independent, Independent Digital News and Media, 8 July 2019,
DesJardins, Joseph. An Introduction to Business Ethics. New York City: The McGraw-Hill
Companies Inc, 2014.
Salazar, Heather. The Business Ethics Case Manual. n.d.
Satariano, Adam. “After a Data Breach, British Airways Faces a Record Fine.” The New York
Times, The New York Times, 8 July 2019,