Home Cyber Attack British Airways Data Breach Exposed Customers’ Payment Card Details To Hackers

British Airways Data Breach Exposed Customers’ Payment Card Details To Hackers

by Abeerah Hashim
British Airways data breach

Earlier this week British Airways confessed to a sad incident that appeared somewhat similar to the Air Canada data breach.  According to their report, unknown attackers managed to pilfer a large chunk of customer data from the airline’s app. Specifically, they successfully stole data of 380,000 customers including their payment card details. Since fixing the British Airways data breach, the officials have apologized to their customers. They also offer compensation to the victims suffering possible financial losses.

British Airways Data Breach Affected Thousands Of Customers

On September 6, 2018, British Airways put up a tweet on their official Twitter account. It stated that they’re ‘investigating the theft of customer data’.  Sharing the link of the official notice on their website.

https://twitter.com/British_Airways/status/1037755174700417025

According to what Mr. Alex Cruz said to the BBC, the airline suffered a malicious cyber attack that let the attackers pilfer customers’ data. As stated on their website, the recent British Airways data breach has affected the customers who visited BA between August 21, 2018, and September 5, 2018, regarding new bookings, or changing the previous ones. The count of affectees reportedly reached up to 380,000 customers.

After determining the extent of the breach, they began contacting the affected BA customers. A good thing is that BA has pledged to compensate for any potential financial losses to the customers. Mr. Cruz said,

“We are committed to working with any customer who may have been financially affected by this attack, and we will compensate them for any financial hardship that they may have suffered.”

How Did It Happen?

Regarding how the breach happened, neither BA’s notice, nor Mr. Cruz revealed any specific technical details. All he said was,

“We discovered that something had happened but we didn’t know what it was [on Wednesday evening]. So overnight, teams were trying to figure out the extent of the attack.”

Nonetheless, this does not stop experts to analyze the situation and predict what could be the reason. Stephen Gailey, Solutions Architect at Exabeam and former Head of Security at Barclays, told LHN,

“Bad news for BA and for the airline’s frequent flyers – many will likely have been caught up in the breach window.  Currently, it seems only cards used to make a booking – rather than those stored on BA’s systems – were compromised, suggesting the attackers intercepted transactions rather than targeting a database of stored credit card details.”

Whereas, Luke Brown, VP EMEA at WinMagic, suspects that the airline failed at properly encrypting the data. He told LHN,

“Data loss, data theft, data breach – these phrases are now part and parcel of the daily news agenda. My guess is that British Airways hadn’t deployed encryption technology across all its platforms and environments.  It’s well known that data residing anywhere in a company’s increasingly complex environment is at risk unless there is a standardised ubiquitous encryption platform in place.”

Will British Airways Face Any Lawsuits?

Realizing the extent of the British Airways data breach, the airline has apologized to the affected customers for the incident, besides offering compensation. But, it is yet unclear what legal actions would BA face over the matter. Commenting about it, Gailey said,

“The travel industry, in general, has been slow to wake up to the challenges of information security, but severe IT incidents do seem to be stacking up for BA.  The ICO has been notified, but as BA has been quick to communicate – and likely took all reasonable steps to protect its customers’ data – BA is unlikely to be fined under the new regulation.  Beyond that, in the absence of a legal requirement for directors to take responsibility, ultimately it will be up to the shareholders to decide if the board has done enough to protect the company.”

On the other hand, Luke Brown fears more that this British Airways data breach will affect the airline’s reputation.

“When did we last read an article about a data compromise or breach which is then followed up with ‘but don’t worry as the data was encrypted’. Falling victim to cyber criminals is the new normal, and all organisations need to take precautions to protect sensitive information should they become the victim of an attack. For many passengers, I suspect British Airways isn’t the world’s favourite airline right now.”

Any Possible Preventions For Such Breaches?

Data breaches are indeed becoming the “new normal”, even if it is about the airlines. Not much time has passed since when we reported about the Air Canada data breach. Like this BA’s incident, that too happened through the mobile app. But the extent of the breach was lower.

How should the companies behave during such incidences? Stephen Gailey shares some useful advice in brief.

“They need to start asking questions.  From a security perspective, no organisation will stand up and say it can’t be breached – controls to prevent a breach are inherently flawed.  Monitoring has to be the answer.  Companies like BA need to detect a breach not weeks or months after it happens, but before a situation like this is allowed to develop.  There has been a lot of development in monitoring capabilities recently, but organisations also need to look at their operational security processes to ensure they are fit for purpose.  BA clearly has some work to do on this.”

Besides, Jan van Vliet, VP and GM EMEA at Digital Guardian, highlighted another reason causing most data breaches today. That is, the third-party services.

“Typically, large data leaks are caused by malicious internal parties or malicious external parties that have compromised someone on the inside. In both cases, the insider could also be at a third-party supplier. It is therefore important for companies to focus data protection programmes not only on their own infrastructure but also on third-party suppliers.”

‘A Reminder To All Organizations’

The exponential rise in the occurrence of data breaches around the world certainly raises questions over the current cybersecurity practices. The more the organizations claim to have robust data security, higher is the frequency of data breaches. Most of the times, the attackers remain “unknown”. In case of the recent British Airways data breach as well, the attackers remain unidentified yet.

Jan van Vliet, hence, calls this incident as a ‘reminder’ for all firms. He said,

“The incident serves as a reminder to all organisations to have a good understanding of critical assets (in this case credit card numbers) and how this information is used across all business units and operations. One way to ensure this is to put in place one consistent data protection policy across all parties that come into contact with these critical assets. This includes auditing third parties to ensure they have equivalent levels of protection.”

Take your time to comment on this article.

You may also like