380,000 Card Payments Compromised In British Airways Breach (sky.com) 50
Earlier today, British Airways said credit card information of at least 380,000 customers have been "compromised" in a data breach that occurred between August 21 and September 5. The information stolen includes customer names, email addresses, home addresses and payment card information -- but not travel or passport details. Sky News reports: In an email to affected customers, BA said: "We're deeply sorry, but you may have been affected. We recommend that you contact your bank or credit card provider and follow their recommended advice. We take the protection of your personal information very seriously. Please accept our deepest apologies for the worry and inconvenience that this criminal activity has caused." The breach has been "resolved" and the website is "working normally," it said. In a statement, the airline added: "We have notified the police and relevant authorities... [and] will continue to keep our customers updated with the very latest information. We will be contacting customers and will manage any claims on an individual basis."
when not if (Score:2)
And that should be really expensive for them (Score:5, Insightful)
Say, $100 per customer, payable to the customer for their hassle. But likely this will not cost them a thing. So it will happen again and again and again.
Re: (Score:2)
Man in the middle attack? (Score:2)
It's not clear yet, but given it was "transactions" that were reported as abused, such an attack would make sense.
Re: (Score:3, Informative)
But likely this will not cost them a thing.
That is far from reality, to process, transmit and store card data, a merchant is contractually required by its acquiring banks to comply with the PCI DSS (Payment Card Industry Data Security Standards), this is a self-regulatory scheme created and ruled by major card brands. When such an incident happens usually it hurts companies pretty bad because the following things happen:
- You need to engage with a PCI forensic company (PFI) that has been approved by VISA/MC, and you have 5 days to do that. We're tal
Re: (Score:3)
Sure, you rack up a couple of million in penalties... ...then you divide that number by 380,000 and it only cost you $6 per customer.
No biggie.
Re: (Score:2)
GPDR could bite hard (Score:3)
Given the new EU regulations since May, there's a very good chance that BA will be fined a very respectable amount - in the tens if not hundreds of millions of pounds. Certainly it's a good opportunity for us to see if such fines will be used to frighten companies into doing better. OTOH we have to accept that everyone gets burgled occasionally...
Re: (Score:1)
BA have no business holding the card details in a hackable web accessible location, they should just hold an identifier that they use to reference a payment provider service. They should use a third party payment provider service or they should implement one internally and use that, the payment provider service should be within an ultra secure area and have a very restricted minimal interface to the rest of the company,
Re: (Score:2)
From the reports I've been reading this morning, the data was stolen at transaction time, so most likely some kind of MITM attack or code injection on the payment page.
Also, it seems that cards saved on the website might be alright, which points to the fact that saved cards are "tokenized" in some way, and not sent across the network in that case. Which would actually good practice in this particular case...
Re: (Score:2)
I have a feeling a lot of companies will be watching this one closely. IIRC the regulation states anywhere between 20m EUR and 4% of revenues, which would be just under half a billion euros on 2016 figures. (And almost 1bn dollars if directed at parent company IAG).
Re: (Score:2)
Thanks (Score:2)
Good point. The interesting question will be the issue of 'reasonable protection' - and the court cases to determine that are still in the future. Let's hope that it's a reasonably high standard set so there is a good incentive to big companies to get it RIGHT!
Re: (Score:1)
Re: (Score:2)
For 380,000 ... (Score:2)
... years, the universe was in an expanding opaque plasma state so dense that photons could not travel very far.
Coincidence?
Yes, I'm sure of it.
Re: (Score:2)
I don't like it when people call me smart.
I makes the assumption that I am better than they.
I'm not.
The word you're looking for is "experienced."
Experience + exposure = expertise. ~ © 2018 CaptainDork
Re: (Score:2)
Re: (Score:2)
Has it occurred to you that you weren't one of the affected customers?
Re: (Score:2)
Re: (Score:2)
The affected people are those who bought tickets between August 21st and September 5th. That you haven't received an email reflects that fact that you bought your tickets around three weeks before the affected time period.
I too bought BA tickets at the beginning of August, and I likewise have not received any communication from BA about this issue. This does ot surprise me.
Re: (Score:2)
Not enough (Score:3)
It will be interesting to see what does come out (Score:2)
As to why this happened and what went wrong. Certainly there will be no excuse for lack of resources in the IT department; OTOH a configuration error is always possible.
Re: (Score:2)
I'm glad I saw the email here, because we sure didn't get one in our inbox. We had a card suddenly show some weird $1 transactions in the US while we're in the UK, and we booked a flight during the 'window' of the attack. No emails from BA though.
BA have two speeds of IT. On the one hand, they have some excellent ideas and design - ba.com went from being a waste of space to being the best airline booking system anywhere (at the time, others have caught up now). They've got some really good build quality on
Re: (Score:3)
Thanks, BA, because I will never fly an airline which doesn't care about its loyal customers and their own employees, of their home country.
Sounds like you'll never be flying then...
Going downhill (Score:1)