380,000 Card Payments Compromised In British Airways Breach

Earlier today, British Airways said credit card information of at least 380,000 customers have been "compromised" in a data breach that occurred between August 21 and September 5. The information stolen includes customer names, email addresses, home addresses and payment card information -- but not travel or passport details. Sky News reports: In an email to affected customers, BA said: "We're deeply sorry, but you may have been affected. We recommend that you contact your bank or credit card provider and follow their recommended advice. We take the protection of your personal information very seriously. Please accept our deepest apologies for the worry and inconvenience that this criminal activity has caused." The breach has been "resolved" and the website is "working normally," it said. In a statement, the airline added: "We have notified the police and relevant authorities... [and] will continue to keep our customers updated with the very latest information. We will be contacting customers and will manage any claims on an individual basis."

when not if

[johnsnails]

when not if

And that should be really expensive for them

[gweihir]

Say, $100 per customer, payable to the customer for their hassle. But likely this will not cost them a thing. So it will happen again and again and again.

Re:

[hcs_$reboot]

Or, at least, keep it encrypted.

Man in the middle attack?

[Bruce66423]

It's not clear yet, but given it was "transactions" that were reported as abused, such an attack would make sense.

Re:

[Anonymous Coward]

But likely this will not cost them a thing.

That is far from reality, to process, transmit and store card data, a merchant is contractually required by its acquiring banks to comply with the PCI DSS (Payment Card Industry Data Security Standards), this is a self-regulatory scheme created and ruled by major card brands. When such an incident happens usually it hurts companies pretty bad because the following things happen:

- You need to engage with a PCI forensic company (PFI) that has been approved by VISA/MC, and you have 5 days to do that. We're tal

Re:

[Joce640k]

Sure, you rack up a couple of million in penalties... ...then you divide that number by 380,000 and it only cost you $6 per customer.

No biggie.

Re:

[mjwx]

Ordinarily yes, but you're clearly not familiar with BA, who are worse than Ryanair in regards to weaselling out of their financial obligations. When they clearly owe you compensation (either due to European statutes or financial cost incurred by you due to their failure) then you are told to go to your travel insurer, if you refuse you're given the run around until you give up or manage to get to an authority that has power over BA. They are worse than American airlines (as in airlines operating out of the

GPDR could bite hard

[Bruce66423]

Given the new EU regulations since May, there's a very good chance that BA will be fined a very respectable amount - in the tens if not hundreds of millions of pounds. Certainly it's a good opportunity for us to see if such fines will be used to frighten companies into doing better. OTOH we have to accept that everyone gets burgled occasionally...

Re:

[Anonymous Coward]

BA have no business holding the card details in a hackable web accessible location, they should just hold an identifier that they use to reference a payment provider service. They should use a third party payment provider service or they should implement one internally and use that, the payment provider service should be within an ultra secure area and have a very restricted minimal interface to the rest of the company,

Re:

[alex67500]

From the reports I've been reading this morning, the data was stolen at transaction time, so most likely some kind of MITM attack or code injection on the payment page.

Also, it seems that cards saved on the website might be alright, which points to the fact that saved cards are "tokenized" in some way, and not sent across the network in that case. Which would actually good practice in this particular case...

Re:

[alex67500]

I have a feeling a lot of companies will be watching this one closely. IIRC the regulation states anywhere between 20m EUR and 4% of revenues, which would be just under half a billion euros on 2016 figures. (And almost 1bn dollars if directed at parent company IAG).

Re:

[account_deleted]

Comment removed based on user account deletion

Thanks

[Bruce66423]

Good point. The interesting question will be the issue of 'reasonable protection' - and the court cases to determine that are still in the future. Let's hope that it's a reasonably high standard set so there is a good incentive to big companies to get it RIGHT!

Re:

[Simon Rowe]

Not hard enough, £/$1,000 per account leaked plus one C-level exec packs a bag for some jail time. Until someone's ass is on the line this sort of incompetence will continue. And yes, my details were included in the breach, w@nkers.

Re:

[ole_timer]

as long as the cost of this does not exceed shrinkage (or whatever they call waste, fraud and abuse in the airlines, etc.) it will keep happening

For 380,000 ...

[CaptainDork]

... years, the universe was in an expanding opaque plasma state so dense that photons could not travel very far.

Coincidence?

Yes, I'm sure of it.

Re:

[CaptainDork]

I don't like it when people call me smart.

I makes the assumption that I am better than they.

I'm not.

The word you're looking for is "experienced."

Experience + exposure = expertise. ~ © 2018 CaptainDork

Re:

[amalcolm]

Email. What freaking e-mail? I am directly affected by this, I bought tickets a month ago and am currently on holiday. Just cancelled my card, not a word from BA

Re:

[jeremyp]

Has it occurred to you that you weren't one of the affected customers?

Re:

[amalcolm]

If course, but now am I supposed to know? Wait for someone to raid my card up to the credit limit?

Re:

[tendrousbeastie]

The affected people are those who bought tickets between August 21st and September 5th. That you haven't received an email reflects that fact that you bought your tickets around three weeks before the affected time period.

I too bought BA tickets at the beginning of August, and I likewise have not received any communication from BA about this issue. This does ot surprise me.

Re:

[account_deleted]

Comment removed based on user account deletion

Not enough

[hcs_$reboot]

"We take the protection of your personal information very seriously" Almost insulting to put that in the email sent to affected clients.

It will be interesting to see what does come out

[Bruce66423]

As to why this happened and what went wrong. Certainly there will be no excuse for lack of resources in the IT department; OTOH a configuration error is always possible.

Re:

[coofercat]

I'm glad I saw the email here, because we sure didn't get one in our inbox. We had a card suddenly show some weird $1 transactions in the US while we're in the UK, and we booked a flight during the 'window' of the attack. No emails from BA though.

BA have two speeds of IT. On the one hand, they have some excellent ideas and design - ba.com went from being a waste of space to being the best airline booking system anywhere (at the time, others have caught up now). They've got some really good build quality on

Re:

[Bert64]

Thanks, BA, because I will never fly an airline which doesn't care about its loyal customers and their own employees, of their home country.

Sounds like you'll never be flying then...

Going downhill

[joncombe]

Unfortunately, since Alex Cruz took over the helm, British Airways have become a budget airline in every respect apart from the price. Checked bags no longer included. No food or drink included. Pay extra to select seats. Coupled with (in my experience) very frequent shcedule changes after booking and poor customer service. Coupled to that frequent IT problems, and some industrial relation issues. I only use them when no other airlines fly the route. The only thing that isn't like a budget airline is the pr