British Airways data breach

Last updated

In summer 2018, a data breach affected almost 400,000 customers of British Airways, of which almost 250,000 had their names, addresses, credit card numbers and CVV codes stolen. The attack gained access to British Airways systems via the account of a compromised third party and escalated their account privileges after finding an unsecured administrator password. The attacker stole data that British Airways was improperly recording and also redirected users of British Airways website to a bogus site that was designed to steal more data.

Contents

In October 2020 the ICO fined British Airways £20 million for breaches of GDPR related to the breach. A legal claim by customers who had been affected by the breach was settled out of court in 2021.

Attack

On June 22, 2018, an attacker gained access to British Airways Network by means of compromised credentials from an employee of Swissport, a third party cargo handler. [1] The compromised account did not have multi-factor authentication enabled. [1]

The attacker was initially restricted to a Citrix environment, but successfully broke out of the environment by unknown means. [1] After breaking out of the environment, the attacker was able to escalate their privilege after finding an administrator password stored in plaintext on the server. [1]

On 26 July 2018, the attacker found plain text files, containing payment card details for BA redemption transactions. The ICO's report highlighted this as follows:

The logging and storing of these card details (including, in most cases, CVV codes) was not an intended design feature of BA's systems and was not required for any particular business purpose.

It was a testing feature that was only intended to operate when the systems were not live, but which was left activated when the systems went live. BA has explained that this card data was being stored in plaintext (as opposed to in encrypted form) as a result of human error. This error meant that the system had been unnecessarily logging payment card details since December 2015.

The impact of this failure was mitigated to some extent by the fact that the retention period of the logs was 95 days, which meant that the only accessible card details were those logged within the preceding 95 days. Nevertheless, the details of approximately 108,000 payment cards were potentially available to the Attacker. [1]

Customer Data Collection

BA's website used a JavaScript Library called Modernizr. BA had not updated their version of the library since 2012 and the version they were using had a known bug that allowed the attacker to redirect customer information to a fake domain, 'baways.com', that they had registered. [2] The payment process appeared legitimate to users. [2]

Discovery

On September 5, 2018, a third party informed BA of the malicious code acting on their website. Within 90 minutes it was removed. On the 6th of September BA informed the ICO, and 500,000 affected customers. [1]

On the 7th of September British Airways said the attack affected bookings from 21 August 2018 to 5 September 2018 with credit card details of around 380,000 total customers being compromised. [3] The attackers obtained names, street addresses, email addresses, credit card numbers, expiration dates and card security codes – enough to allow thieves to steal from accounts. [3] 77,000 customers had their name, address, email address and detailed payment information taken, while 108,000 people had personal details compromised which did not include CVV numbers. [4]

British Airways urged customers to contact their banks or credit card issuer and to follow their advice. [3] NatWest said that it received more calls than usual because of the breach. [3] American Express said that customers would not need to take any action and that they would alert customers with unusual activity on their cards. [3]

In 2019 the ICO announced it intended to issue a fine for 1.5% of the airline's 2017 turnover, amounting to £183.39 million. [5] After negotiations with the ICO British Airways was fined £20 million by the Information Commissioner's Office in October 2020. [5] The financial strain of the COVID-19 pandemic was cited as one reason for the reduced fine. [5]

In 2021 the law firm Pogust and Goodhead announced that they were representing a group of BA customers who had been affected by the breach in "the largest group-action personal-data claim in UK history". [6] The class was settled out of court. [7]

Related Research Articles

<span class="mw-page-title-main">EMV</span> Smart payment card standard

EMV is a payment method based on a technical standard for smart payment cards and for payment terminals and automated teller machines which can accept them. EMV stands for "Europay, Mastercard, and Visa", the three companies that created the standard.

<span class="mw-page-title-main">Information Commissioner's Office</span> Non-departmental public body

The Information Commissioner's Office (ICO) is a non-departmental public body which reports directly to the Parliament of the United Kingdom and is sponsored by the Department for Science, Innovation and Technology. It is the independent regulatory office dealing with the Data Protection Act 2018 and the General Data Protection Regulation, the Privacy and Electronic Communications Regulations 2003 across the UK; and the Freedom of Information Act 2000 and the Environmental Information Regulations 2004 in England, Wales and Northern Ireland and, to a limited extent, in Scotland. When they audit an organisation they use Symbiant's audit software.

The Payment Card Industry Data Security Standard is an information security standard used to handle credit cards from major card brands. The standard is administered by the Payment Card Industry Security Standards Council, and its use is mandated by the card brands. It was created to better control cardholder data and reduce credit card fraud. Validation of compliance is performed annually or quarterly with a method suited to the volume of transactions:

A controlled payment number, disposable credit card or virtual credit card is an alias for a credit card number, with a limited number of transactions, and an expiration date between two and twelve months from the issue date. This "alias" number is indistinguishable from an ordinary credit card number, and the user's actual credit card number is never revealed to the merchant.

<span class="mw-page-title-main">Credit card fraud</span> Financial crime

Credit card fraud is an inclusive term for fraud committed using a payment card, such as a credit card or debit card. The purpose may be to obtain goods or services or to make payment to another account, which is controlled by a criminal. The Payment Card Industry Data Security Standard is the data security standard created to help financial institutions process card payments securely and reduce card fraud.

A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018.

Form grabbing is a form of malware that works by retrieving authorization and log-in credentials from a web data form before it is passed over the Internet to a secure server. This allows the malware to avoid HTTPS encryption. This method is more effective than keylogger software because it will acquire the user’s credentials even if they are input using virtual keyboard, auto-fill, or copy and paste. It can then sort the information based on its variable names, such as email, account name, and password. Additionally, the form grabber will log the URL and title of the website the data was gathered from.

<span class="mw-page-title-main">Card security code</span> Security feature on payment cards

A card security code is a series of numbers that, in addition to the bank card number, is printed on a credit or debit card. The CSC is used as a security feature for card not present transactions, where a personal identification number (PIN) cannot be manually entered by the cardholder. It was instituted to reduce the incidence of credit card fraud. Unlike the card number, the CSC is deliberately not embossed, so that it is not read when using a mechanical credit card imprinter which will only pick up embossed numbers.

The 2011 PlayStation Network outage was the result of an "external intrusion" on Sony's PlayStation Network and Qriocity services, in which personal details from approximately 77 million accounts were compromised and prevented users of PlayStation 3 and PlayStation Portable consoles from accessing the service. The attack occurred between April 17 and April 19, 2011, forcing Sony to deactivate the PlayStation Network servers on April 20. The outage lasted 23 days.

<span class="mw-page-title-main">Have I Been Pwned?</span> Consumer security website and email alert system

Have I Been Pwned? is a website that allows Internet users to check whether their personal data has been compromised by data breaches. The site has been widely touted as a valuable resource for Internet users wishing to protect their own security and privacy. Have I Been Pwned? was created by security expert Troy Hunt on 4 December 2013.

<span class="mw-page-title-main">Point-of-sale malware</span>

Point-of-sale malware is usually a type of malicious software (malware) that is used by cybercriminals to target point of sale (POS) and payment terminals with the intent to obtain credit card and debit card information, a card's track 1 or track 2 data and even the CVV code, by various man-in-the-middle attacks, that is the interception of the processing at the retail checkout point of sale system. The simplest, or most evasive, approach is RAM-scraping, accessing the system's memory and exporting the copied information via a remote access trojan (RAT) as this minimizes any software or hardware tampering, potentially leaving no footprints. POS attacks may also include the use of various bits of hardware: dongles, trojan card readers, (wireless) data transmitters and receivers. Being at the gateway of transactions, POS malware enables hackers to process and steal thousands, even millions, of transaction payment data, depending upon the target, the number of devices affected, and how long the attack goes undetected. This is done before or outside of the card information being (usually) encrypted and sent to the payment processor for authorization.

Inbenta is an AI company that originated in Barcelona, Spain, in 2005. Inbenta is currently headquartered in Allen, Texas, with additional offices in Spain, São Paulo, Brazil, Toulouse, France, and Tokyo, Japan.

The EasyJet data breach was a cyberattack on the computer systems of British airline EasyJet.

Data breach incidences in India were the second highest globally in 2018, according to a report by digital security firm Gemalto. With over 690 million internet subscribers and growing, India has increasingly seen a rise in data breaches both in the private and public sector. This is a list of some of the biggest data breaches in the country.

Web skimming, formjacking or a magecart attack is an attack in which the attacker injects malicious code into a website and extracts data from an HTML form that the user has filled in. That data is then submitted to a server under control of the attacker.

The 2021 Air India cyberattack was a cyberattack that affected more than 4.5 million customers of Air India airlines.

<span class="mw-page-title-main">2021 Epik data breach</span> 2021 cybersecurity incident in America

The Epik data breach occurred in September and October 2021, targeting the American domain registrar and web hosting company Epik. The breach exposed a wide range of information including personal information of customers, domain history and purchase records, credit card information, internal company emails, and records from the company's WHOIS privacy service. More than 15 million unique email addresses were exposed, belonging to customers and to non-customers whose information had been scraped. The attackers responsible for the breach identified themselves as members of the hacktivist collective Anonymous. The attackers released an initial 180 gigabyte dataset on September 13, 2021, though the data appeared to have been exfiltrated in late February of the same year. A second release, this time containing bootable disk images, was made on September 29. A third release on October 4 reportedly contained more bootable disk images and documents belonging to the Texas Republican Party, a customer of Epik's.

Harris Pogust is an American attorney, who is currently the Chairman of the international law firm Pogust Goodhead.

References

  1. 1 2 3 4 5 6 ICO. "ICO - action we've taken - BA" (PDF).
  2. 1 2 Stokel-Walker, Chris. "A simple fix could have saved British Airways from its £183m fine". Wired. ISSN   1059-1028 . Retrieved 2024-11-26.
  3. 1 2 3 4 5 Sandle, Paul (6 September 2018). "BA apologizes after 380,000 customers hit in cyber attack". Reuters .
  4. "BA investigation into website hack reveals more victims". BBC News. 2018-10-25. Retrieved 2022-11-04.
  5. 1 2 3 Tidy, Joe (16 October 2020). "British Airways fined £20m over data breach". BBC News . Retrieved 16 October 2020.
  6. Rodgers, Jason (2021-01-15). "British Airways Data Breach Claim Becomes Biggest Of Its Kind In The UK". Pogust Goodhead. Retrieved 2024-11-26.
  7. "British Airways data-breach compensation claim settled". BBC News. 2021-07-06. Retrieved 2024-11-26.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.