An In-Depth Look At The British Airways Data Breach

On September 6 2018, British Airways announced that it had suffered a data breach that compromised the financial information of approximately 380,000 customers. The Chief Executive of the airline described the attack as 'sophisticated and malicious'. Over a span of 15 days, hackers accessed the personal and financial details of card customers who were using the BA website and app. The theft occurred from 21 August at 10.58 to 9.45 on 5 September and affected customers who were booking flights or changing them.

This breach translates to an increased risk of fraud for the people affected. With an individual's credit card and personal details out there, it is easy to fall victim to fraud. Data breaches of large corporations are not unheard of. In fact, they have occurred at alarming rates in the past several years. It is why resources like have become so popular. Understanding the BA hack and its consequences is important for customers and other companies that may be susceptible to the same threats.

Who was affected

British Airways says that the theft targeted customers who were paying directly with their cards during the period. So, if you booked a flight between 21 August and 5 September with a third party, then the breach wouldn't have affected you. The airline said that the cybercriminals did not access travel or passport details. Emails, addresses, names and card details were the compromised data. The theft included the CVCs of credit and debit cards, which are the unique codes that customers have to submit when verifying online purchases.

What happened?

Concerns about the size of the data breach have raised the usual questions of whether British Airways had the correct security measures to prevent or at least detect the hack. When announcing the breach, the airline insisted that the criminals did not get past the encryption. The speculation is that the intrusion occurred through skimming. According to investigations, the information theft took place during the booking process when a customer has to submit various details, including credit card and personal particulars. Skimming is when an intrusion program copies data as it is entered into a system.

RiskIQ is one security company that has been following up on the BA data breach. It points the finger on Magecart, a gang that has been carrying out criminal hacks since 2015. This gang has a reputation for credit card skimming. According to investigations by RiskIQ, the group has grown more sophisticated by targeting the infrastructure of a specific company. It is possible that hackers established a system that mimicked the BA app and website. They then placed a malicious code that scooped up every detail that a customer fed into the online payment form.

The attack carried out on the British Airways website did not necessitate entry into the servers, which may explain the time it took to notice it. However, the script used to incapacitate the site seemed to have affected the app as well, which could have been intentional. Skimming attacks are usually executed on web pages that don't have robust security. British Airways doesn't keep most of the information stolen like names and addresses. The data breach only targeted the financial information and not the IT system, so BA customers could check in online without any issues.

What is the Response?

The British airline said that it realised the ongoing theft after receiving a warning from a third-party and took action immediately. The Information Commissioner and the police were alerted of the breach and opened an investigation. British Airways called the customers whose data had been stolen to inform them. The company advised its customers to contact their banks to learn how to proceed. Some customers have complained that they were hoping for a little more than 'contact your bank' from BA. The airline has said that it will compensate individuals who suffer monetary loss due to the hack.

This breach poses several risks for the affected customers. For one, the hackers can sell the collected information to other criminal elements that may use it in various illegal activities. The credit card data can be used to make online purchases. Phishing scams are also a big risk even for people who have not been affected. Scammers can contact BA customers and trick them into giving out their information in the name of following up on the breach.

Some banks have reissued cards for people whose details were compromised in the breach. Others have advised customers to track their financial transactions to detect any unusual activities then alert the banks. However, if as a cardholder you are feeling anxious about the risks of keeping the same credit/debit card, you can ask for a new one without waiting for fraudulent activities. Changing passwords is recommended for anyone affected by the BA hack. If the login details of your BA account are used anywhere less, it is safe to change them there as well.

About the Author

Jack Foster