British Airways Breach Flies Under U.S. Radar

The globalization of stolen data continues. On Sept. 6, 2018 British Airways announced it had suffered a breach resulting in the theft of personal and payment information of perhaps 380,000 customers.

In news that may have gone virtually unnoticed in the U.S., BA said personal and financial details, but not passport information, of customers making or changing bookings was compromised and apologized for what it says was a sophisticated breach of the firm’s security systems.

“We are 100% committed to compensate them, period,” Alex Cruz, British Airways CEO, told the BBC’s Today program. “We are committed to working with any customer who may have been financially affected by this attack, and we will compensate them for any financial hardship that they may have suffered.”

BA said the breach took place between Aug. 21 and Sept. 5. Potentially affected: names, email addresses, credit card information (number, expiration date and the three-digit card verification codes). BA insists it did not store the CVV numbers, which is prohibited under international standards set out by the PCI Security Standards Council. Security researchers speculated the card details were intercepted, rather than collected from a BA database.

It isn’t obvious how hackers gained access to BA’s website and app, but at least one cybersecurity expert had some suggestions.

A RiskIQ researcher, Yonathan Klijnsma, claimed to have discovered evidence of a skimming script designed to steal financial data from online payment forms. “The same type of attack happened recently when Ticketmaster UK reported a breach, after which RiskIQ found the entire trail of the incident,” Klijnsma noted. The San Francisco-based firm said the code found on the BA site was extremely similar, but appeared modified to fit the airline’s web design.

“This attack is a simple but highly targeted approach compared to what we’ve seen in the past with the Magecart skimmer which grabbed forms indiscriminately. This particular skimmer is very much attuned to how British Airway’s payment page is set up, which tells us that the attackers carefully considered how to target this site instead of blindly injecting the regular Magecart skimmer,” Klijnsma wrote.  He added, the infrastructure used purposely targeted scripts that would blend in with normal payment processing to avoid detection

“As this is a criminal investigation, we are unable to comment on speculation,” said BA in a statement.

Under GDPR, fines can be up to 4% of annual global revenue. BA’s total revenue in 2017 was about $16 billion, so that could be a potential maximum of $635 million.

Paul Bischoff, privacy advocate at the U.K.-based Comparitech.com, said, “With British Airway’s disclosure of hackers carrying out a malicious attack on its website and mobile app and Air Canada suffering a similar fate just last week, there’s nothing like a fresh wave of data breaches to drive home the importance of the security of customer data.”

Bischoff noted it is somewhat encouraging the admission the BA attack did not compromise travel or passport details, but still noted the effect on BA’s share prices, which have dropped 4% since the disclosure.

Pravin Kothari, CEO of the San Jose, Calif.-based CipherCloud, added, “Since the U.S. has enacted breach notification laws, businesses and consumers have been made acutely aware of the risks and brand damage that result from a cyberattack, but very little has been reported from Europe. Now, thanks to GDPR, more European breaches will be made public. It’s taken this kind of regulation to force awareness about the critical need to invest in security to protect your data.”

Timothy Bedard, director of product marketing, TID Solutions, Chicago-based OneSpan, held, “As the British Airways breach details become publicly known, this is yet another reminder of reality we live in today. It is not a question of ‘if we get breached’, it is a question of ‘when we will be breached.’ But, while British Airways manages the negative publicly and potential GDPR fines, the real victims in this scenario are the British Airways customers.”

Bedard warned once fraudsters have personal information, they will be able to access financial accounts, open new accounts in stolen ID’s name, make fraudulent purchases, or sell their personal information to other fraudsters on the dark web.