Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Privacy Software Transportation

380,000 Card Payments Compromised In British Airways Breach (sky.com) 50

Earlier today, British Airways said credit card information of at least 380,000 customers have been "compromised" in a data breach that occurred between August 21 and September 5. The information stolen includes customer names, email addresses, home addresses and payment card information -- but not travel or passport details. Sky News reports: In an email to affected customers, BA said: "We're deeply sorry, but you may have been affected. We recommend that you contact your bank or credit card provider and follow their recommended advice. We take the protection of your personal information very seriously. Please accept our deepest apologies for the worry and inconvenience that this criminal activity has caused." The breach has been "resolved" and the website is "working normally," it said. In a statement, the airline added: "We have notified the police and relevant authorities... [and] will continue to keep our customers updated with the very latest information. We will be contacting customers and will manage any claims on an individual basis."
This discussion has been archived. No new comments can be posted.

380,000 Card Payments Compromised In British Airways Breach

Comments Filter:
  • when not if
  • by gweihir ( 88907 ) on Thursday September 06, 2018 @10:03PM (#57267346)

    Say, $100 per customer, payable to the customer for their hassle. But likely this will not cost them a thing. So it will happen again and again and again.

    • Re: (Score:3, Informative)

      by Anonymous Coward

      But likely this will not cost them a thing.

      That is far from reality, to process, transmit and store card data, a merchant is contractually required by its acquiring banks to comply with the PCI DSS (Payment Card Industry Data Security Standards), this is a self-regulatory scheme created and ruled by major card brands. When such an incident happens usually it hurts companies pretty bad because the following things happen:

      - You need to engage with a PCI forensic company (PFI) that has been approved by VISA/MC, and you have 5 days to do that. We're tal

      • Sure, you rack up a couple of million in penalties... ...then you divide that number by 380,000 and it only cost you $6 per customer.

        No biggie.

      • by mjwx ( 966435 )
        Ordinarily yes, but you're clearly not familiar with BA, who are worse than Ryanair in regards to weaselling out of their financial obligations. When they clearly owe you compensation (either due to European statutes or financial cost incurred by you due to their failure) then you are told to go to your travel insurer, if you refuse you're given the run around until you give up or manage to get to an authority that has power over BA. They are worse than American airlines (as in airlines operating out of the
    • Given the new EU regulations since May, there's a very good chance that BA will be fined a very respectable amount - in the tens if not hundreds of millions of pounds. Certainly it's a good opportunity for us to see if such fines will be used to frighten companies into doing better. OTOH we have to accept that everyone gets burgled occasionally...

      • by Anonymous Coward

        BA have no business holding the card details in a hackable web accessible location, they should just hold an identifier that they use to reference a payment provider service. They should use a third party payment provider service or they should implement one internally and use that, the payment provider service should be within an ultra secure area and have a very restricted minimal interface to the rest of the company,

        • From the reports I've been reading this morning, the data was stolen at transaction time, so most likely some kind of MITM attack or code injection on the payment page.

          Also, it seems that cards saved on the website might be alright, which points to the fact that saved cards are "tokenized" in some way, and not sent across the network in that case. Which would actually good practice in this particular case...

      • I have a feeling a lot of companies will be watching this one closely. IIRC the regulation states anywhere between 20m EUR and 4% of revenues, which would be just under half a billion euros on 2016 figures. (And almost 1bn dollars if directed at parent company IAG).

      • Comment removed based on user account deletion
        • Good point. The interesting question will be the issue of 'reasonable protection' - and the court cases to determine that are still in the future. Let's hope that it's a reasonably high standard set so there is a good incentive to big companies to get it RIGHT!

    • Not hard enough, £/$1,000 per account leaked plus one C-level exec packs a bag for some jail time. Until someone's ass is on the line this sort of incompetence will continue. And yes, my details were included in the breach, w@nkers.
    • as long as the cost of this does not exceed shrinkage (or whatever they call waste, fraud and abuse in the airlines, etc.) it will keep happening
  • ... years, the universe was in an expanding opaque plasma state so dense that photons could not travel very far.

    Coincidence?

    Yes, I'm sure of it.

  • Comment removed based on user account deletion
  • by hcs_$reboot ( 1536101 ) on Friday September 07, 2018 @12:35AM (#57267666)
    "We take the protection of your personal information very seriously" Almost insulting to put that in the email sent to affected clients.
    • As to why this happened and what went wrong. Certainly there will be no excuse for lack of resources in the IT department; OTOH a configuration error is always possible.

    • I'm glad I saw the email here, because we sure didn't get one in our inbox. We had a card suddenly show some weird $1 transactions in the US while we're in the UK, and we booked a flight during the 'window' of the attack. No emails from BA though.

      BA have two speeds of IT. On the one hand, they have some excellent ideas and design - ba.com went from being a waste of space to being the best airline booking system anywhere (at the time, others have caught up now). They've got some really good build quality on

  • Unfortunately, since Alex Cruz took over the helm, British Airways have become a budget airline in every respect apart from the price. Checked bags no longer included. No food or drink included. Pay extra to select seats. Coupled with (in my experience) very frequent shcedule changes after booking and poor customer service. Coupled to that frequent IT problems, and some industrial relation issues. I only use them when no other airlines fly the route. The only thing that isn't like a budget airline is the pr

It's currently a problem of access to gigabits through punybaud. -- J. C. R. Licklider

Working...