Hackers stole data on hundreds of thousands of BA customers from its website, ba.com.
The airline, the UK’s largest, sai that the personal and financial details of customers who made bookings between August 21 and September 5 had been compromised, and told TechCrunch that ‘around 380,000 card payments’ had been affected.
In a statement on britishairways.com, BA said:
The incident has been resolved and ba.com is working normally so future bookings will not be affected.
No British Airways customer will be left out of pocket as a result of this criminal cyber attack on its website, ba.com, and the airline’s mobile app.
For BA, this is a nasty shock: it’s facing fines of up to 4% of global revenue under the newly-enacted GDPR regulations.
Financial and other data was taken in what BA is describing as a ‘sophisticated, malicious criminal attack’ on its website, but the company itself still isn’t totally clear on how it was carried out.
What information was taken?
‘It was name, email address, credit card information – that would be credit card number, expiration date and the three digit [CVV] code on the back of the credit card,’ said BA boss Alex Cruz on the Today Programme.
That casts doubt on exactly how the attack occurred. If it was an attack on Ba’s database, loss of CVV codes should have been impossible, because it’s against the law for companies to store that information. Which means either BA isn’t telling the truth and it did keep a database of its customers’ CVV codes, or it wasn’t a database hack.
How did the breach happen?
BA hasn’t revealed any details about the breach. It’s hidden behind the affect of corporate screwup best practice (‘own it and share their pain,’ basically) to keep details light.
But some security professionals have some ideas about how it could have happened.
Cybersecurity expert Professor Alan Woodward, from the University of Surrey, told the BBC that BA had ‘very carefully worded the statement’ on their website to say that anybody who made a card payment between 22:58 BST, 21 August 2018 and 21:45 BST, 5 September 2018 was at risk.
‘It looks very much like the details were nabbed at the point of entry – someone managed to get a script on to the website, Professor Woodward went on.
Rather than collecting the data from a database BA keeps, then, hackers are more likely to have inserted code into the website that harvested details as they were entered.
How do you find out if you’re affected?
BA says it will be contacting customers who made bookings during the period of the hack. And the company has promised:
‘financial losses suffered by customers directly because of the theft of this data from British Airways will be reimbursed, and is recommending that customers contact their bank or card provider if they made a booking or change to their booking between 22:58 BST August 21 2018 and 21:45 BST September 5 2018.’
