British Airways (BA) has revealed that hundreds of thousands of its customers have had personal and payment-card details stolen from its website and mobile app.
The airline’s site was compromised between 21 August and 5 September 2018, during which time around 380,000 transactions were affected.
The stolen details include names, addresses, email addresses, and credit card information, including card numbers, expiration dates, and the three-figure CVV codes on the backs of cards. In other words, sufficient information for fraudulent transactions to be carried out – and reports are surfacing from some BA customers of those taking place on their bank accounts.
BA stressed that the compromised data did not include travel or passport details – cold comfort for many users. In a press statement, the company’s chairman and CEO Alex Cruz said:-
“We are deeply sorry for the disruption that this criminal activity has caused. We take the protection of our customers’ data very seriously.
In an interview on BBC Radio 4’s Today programme, Cruz promised to compensate any customers who had been victims of fraudulent payments as a result of the breach.
Given that the retention of CVV codes is prohibited under international rules set out by the PCI Security Standards Council, it’s likely that the attackers intercepted this information, rather than obtained it from BA’s own databases. However, that is by no means certain; BA has many questions to answer.
In its statement, the airline added: “We have notified the police and relevant authorities… [we] will continue to keep our customers updated with the very latest information.”
BA has since announced that the breach has been patched and the website is now functioning normally again. However, the clean-up operation is only just beginning when it comes to brand damage and the loss of customer confidence – and, in some cases, cash.
Internet of Business says
Such a major breach is acutely embarrassing to BA and could be financially disastrous. European authorities may be keen to make an example of a high-profile company – under GDPR, the company could be fined up to four percent of annual turnover.
BA owner IAG’s share price fell four percent as the markets opened this morning, but recovered some ground on the day.
The National Crime Agency and National Cyber Security Centre’s investigations will no doubt highlight the fact that it appears to have taken BA over two weeks to identify and report the breach.
This failing is compounded by the fact British Airways has been blighted with IT problems over the last 18 months, with system faults causing flights to be cancelled in July and also over the Bank Holiday weekend in May 2017.
Paul Farrington, head of EMEA at app security company CA Veracode, contacted Internet of Business on the matter, calling for more consistency in security and app performance in the airline industry:
“The British Airways breach is just another example of how, as the amount of personal data held by organisations continues to grow, hackers are finding more sophisticated ways to gain access to this data and use it to make a profit,” he said.
“Furthermore, with GDPR now in full force, the board at BA will have to consider their exposure to regulatory fines, especially when it took 16 days for the breach to be detected, and if the financial losses will outstrip what it would have cost to prevent the breach in the first place.
“IT issues are not only affecting BA, but also the wider airline industry. Airlines have a duty to keep the planes in the air, and the majority of investment goes into that. However, recent outages show that investment should also be directed at supporting technology.
“As airlines become ever more dependent on software, this creates a greater surface for hackers to attack and so it is no surprise that breaches of this scale are becoming commonplace.”
The breach is reminiscent of a similar attack on Dixons Carphone earlier this year. However, in the case of BA, the fact that CVV codes were obtained makes the incident far more serious, both for BA and its customers.