Another week, another serious data breach. This time it is the ‘personal and financial details’ of 380,000 customers of the giant of the skies that is British Airways.
According to the airline, between 22:58 BST August 21 2018 until 21:45 BST September 5 2018 inclusive, any personal details entered via the website or the mobile app can be assumed compromised by third parties unknown, aka hackers (mwahahaha). This includes payment card details including the CVC number on the back.
If you think you may be one of these unlucky punters and have not yet been notified by British Airways, you should contact your card provider and consider cancelling it.
Whilst there is no suggestion (a few days after the breach) that passwords have been compromised, if you are one of the many people who still re-use passwords on multiple websites and do not use a password manager (as recommended by the sages of ITC Towers along with security experts the world over), get on with changing all of them, a perfect opportunity to use different passwords and implement a password manager (if you haven’t got the hint yet….).
We originally heard that the missing data included passport information. This turns out not to be the case as advised by one ‘CiderMark’ (thanks CM, we love your handle and appreciate your feedback). We were probably a bit keen to get the blog out while the story was developing and should have waited. Will try harder, honest.
Speaking, or rather squirming, on BBC Radio Four’s Today Programme this morning (07/09/18), Alex Cruz the Chairman and Chief Executive of BA, said that malicious third parties (criminals) had launched a sophisticated attack against the Web platform. This was detected via one of the airline’s third party security monitoring partners. Given the length of the breach, we wonder if the monitoring partner detected activity such as details coming up for sale, bragging or other tell-tale signs on The Dark Web?
Recent news reports are claiming the entire gig comprised twenty something lines of code inserted into the payment fulfilment pages of the BA site by the Magecart group!
Obviously the Information Commissioner’s Office has been informed – officially as well as by the shrieking headlines. Since this event is well within the effective range of all GDPR munitions and parameters, we can probably all expect robust action. The report will be fascinating, we are sure.
This is not the first IT related issue suffered by BA. In July this year there was chaos at Heathrow as flights were cancelled because of ‘an IT issue’. The same happened at both Heathrow and Gatwick in May 2017. How long will it be before big heads start to roll?
Only this week, the CEO of TSB Paul Pester bit the bullet following a series of IT blunders at the bank. No wonder Mr Cruz sounded uncomfortable.
Keeping hackers out of your systems is a thankless and difficult task. A determined assailant will find a way in and detection becomes all-important, especially if personal information is involved and regulatory disclosure is required.
If you would like to discuss the security cycle (including detection), your cyber maturity or anything else security related, please do contact us at [email protected] or call 020 7517 3900, we will get back to you after we have finished cancelling our cards.
*ITC are delighted to announce that Kevin has been shortlisted for a Security Serious Unsung Hero award in the Cyber Writer category – we are very proud!*
4 Responses
At least their mouthpiece has described the hack as “sophisticated” a beautifully convincing adjective which will have 95% of the public nodding sympathetically but without their ever having been provided any metric by which this description can be scored. Full marks. Already ahead of the Talk Talk or rather Gibber Gibber CEO. This company will soar.
Hi Kevin,
I think that you should recheck your facts before publishing. There were no passport, address, email, password details compromised – only the CC details. I wish it had just been the former!!!!!
Advocating changing your password and “using a password manager” would not have helped in this particular case.
Mark.
P.S. was this a ‘dashed off’ article to that you can get an early exit for the weekend???? 🙂 🙂
edited – just wrote it very soon after the announcement. Thanks for the feedback
Kev
I think it was Monzo that spotted this first, so there’s a good chance it came to light because of anti-fraud measures in the banks and not through BA’s security systems. Given the comprehensive nature of the data lifted (CVVs aren’t normally stored in supplier databases), my guess it that the data was lifted live off the payments web page. Might be wrong. I don’t know.
What do you think, Mr Whelan??
Comments are closed.