As a matter of urgency, British Airways (BA) is investigating the theft of customer data from its website and mobile app. From 22.58 hours BST on 21 August until 21.45 hours BST on 5 September inclusive, the personal and financial details of customers making or changing bookings on www.ba.com and the airline’s app were compromised. The stolen data did not include travel or passport details.
According to a statement issued on BA’s website, the breach has been resolved and the website is now working normally once again. The company has notified the police and the relevant authorities. Those customers directly affected have been e-mailed by BA and asked to contact their bank or credit card provider and follow the advice subsequently given. Customers have also been asked to change their passwords.
Every customer affected will be fully reimbursed, while BA will pay for a credit checking service. “We take the protection of our customers’ data seriously, and we’re very sorry for the concern that this criminal activity has caused,” said the company. “We will continue to keep our customers updated with the very latest information. We are in contact with our affected customers and will manage any claims on an individual basis.”
Speaking about the episode, Alex Cruz (CEO of BA) told the BBC that hackers had carried out a “sophisticated, malicious criminal attack” on its website that has impacted circa 380,000 customers of the airline. Cruz was keen to point out that the breach only affects those individuals who bought tickets during the timeframe provided by BA, and not on other occasions.
In terms of the stolen data, Cruz told the BBC: “It was name, e-mail address and credit card information. That would be credit card number, expiration date and the three digit [CVV] code on the back of the credit card.”
BA insists it did not store the CVV numbers. This is prohibited under international standards as set out by the PCI Security Standards Council. Given that BA has said the attackers also managed to obtain CVV numbers, security researchers have speculated that the card details were intercepted rather than being harvested from a BA database.
Reaction from the security sector
Ilia Kolochenko, CEO of web security company High-Tech Bridge, told Risk Xtra: “BA’s reaction has been very fast. The company’s transparency and frankness serve as a good example to other companies who are prone to minimising the consequences of such a breach. It is, however, too early to make any definitive conclusions prior to a holistic technical investigation of the breach and its origins.”
Kolochenko continued: “Shadow IT and legacy applications are a plague in today’s world. Large organisations have so many intertwined websites, web services and mobile apps that they often forget about considerable parts of them. On the other side, cyber criminals are very proactive, and as soon as a new vulnerability is discovered in a popular CMS they start exploiting it in the wild. Obviously, abandoned systems remain unpatched for years and serve as a perfect prey to the attackers.”
In addition, Kolochenko stated: “Web applications are the Achilles’ heel of modern companies and organisations. Lawmakers make their lives even more complicated. For example, with the GDPR, many organisations had to temporarily give up their practical cyber security and concentrate all their efforts on paper-based compliance. New cyber security regulations may do more harm than benefit for society if improperly imposed or implemented.”
Dr Guy Bunker, senior vice-president at cyber security company Clearswift, observed: “With the breaking news this morning that BA has been hacked, it poses a number of questions. First, in the era of the GDPR, will we see a substantial fine levied on the company? While there have been a number of breaches since the legislation was enforced earlier this year, this is one where the affected business has admitted what has happened and believes it ticks all the boxes when it comes to personal data being compromised.”
Bunker went on to state: “The good news is that the breach was picked up relatively quickly. BA has systems in place such that it could narrow down both how the incident happened and who was affected. Unlike the TalkTalk incident where the numbers impacted changed on a regular basis, the BA team appears to have done its due diligence on the event quickly and efficiently. As with all mobile apps, there will be a long hard look at how the compromise could have occurred. Was it the app, or was it the back-end system which caused the compromise or a mixture of both?”
Strong targets for cyber criminals
Rufus Grig, CTO at Maintel, informed Risk Xtra: “Organisations like BA are strong targets for cyber criminals because they possess vast amounts of high-value personal data that gives hackers a high return on investment. Yet it must be said that every company is a target when it comes to cyber attacks. There only needs to be a single vulnerability to enable a breach. While cyber criminals will always find new ways of gaining access, there are also ways in which to reduce risk and minimise the loss of data.”
In conclusion, Grig commented: “Organisations must use robust IT systems with the latest security systems to tackle this. With the increase in Internet of Things appliances impacting the now ubiquitous borderless networks, the attraction for hackers to attack will continue to grow. A priority for security teams will be to reduce the time taken to detect, contain and mitigate breaches. This is a key strategy given that malicious actors are now very skilled in delivering multi-layered attacks using diversion techniques. The only way to go about this is applying emerging technologies like predictive analytics with techniques such as machine learning and modelling as another layer of the already complex security stack. As the saying goes, it’s always better to err on the side of caution.”
Egress CEO Tony Pepper has also reacted to the BA data breach. “Today, we have seen reports highlighting that BA has been the victim of a very sophisticated and malicious cyber attack resulting in the personal and financial information of 380,000 customers being stolen by cyber criminals. While there will be overwhelming negativity attached to the breach, BA should be commended on its swift action and transparency in alerting customers, police and the Information Commissioner’s Office to the data breach. Although this may be of little comfort to those who’ve been affected, a swift response does limit further damage and subsequent cost. This malicious attack does yet again serve as a warning that organisations need to ensure their systems are robust enough to withstand these types of attacks and that early detection and reaction is of paramount importance.”
Randhir Shinde, CEO at Galaxkey (the cyber security consultancy), said: “British Airways is just the latest example of the threat posed by cyber attacks. Hackers are becoming increasingly inventive, often targeting hardware such as printers, scanners and credit card machines to breach systems. The real danger here isn’t the stolen financial information and assets. These losses will be compensated. The bigger issue is that personal information may have been compromised. Names, addresses and e-mail addresses may not sound threatening, but this information can be the first step for hackers. Such details allow them to enter e-mail accounts, social media and, ultimately, do harm. All of us – businesses and individuals – have an interest in doing everything we can to protect sensitive data.”
DNS data exfiltration attack
Analysing the breach, Ronan David (vice-president of strategy at Efficient IP) told Risk Xtra: “Alex Cruz declared this attack to be very sophisticated, malicious and criminal, and identified the time of the attack as being between the 21 August and 6 September, leaving the attacker(s) 17 days to steal payment information on an unprecedented scale. Though currently the exact attack method used is still unknown, this has all the traits of a DNS data exfiltration attack. This type of attack can be extremely difficult to detect as it closely resembles typical network traffic, meaning that incidents are often not detected until long after exfiltration has already been achieved.”
David added: “The DNS protocol is recognised as one of the most discrete options for cyber criminals to carry out data exfiltration, as DNS traffic is typically not analysed. This ‘careless’ attitude makes it difficult to efficiently track with existing network inspection tools, especially considering the high volume of DNS traffic.”
Also, David said: “DNS exfiltration attacks are difficult to detect for legacy systems. If the British Airways attack is indeed DNS exfiltration, it could give validity to Cruz’s claim that it was discovered as late as it was. Our Global DNS Threat Report highlights that 22% of transport organisations were vulnerable to DNS tunneling and exfiltration, showing a higher vulnerability to these attacks than other industries. It also showed that the transport industry was subject to more DNS-based attacks than any other in the last 12 months. In this day and age, companies must consider security solutions specifically for DNS in order to protect their infrastructure and stored customer data.”
Bill Curtis, senior vice-president and chief scientist at Cast, commented: “Increasingly sophisticated criminals are always finding new vulnerabilities in what are very complex and interconnected systems. A third party likely supplied code to British Airways to run payment authorisation which could have been used by the hacker(s) in order to obtain the payment details. The best way in which to mitigate this risk is to use software intelligence technology to identify the security vulnerabilities from third parties.”
Curtis concluded: “Airlines juggle multiple systems that must interact to control gate, reservations, ticketing and frequent flyers. The components of each of these systems may have been written separately by different companies. It’s often very difficult to gain an holistic view of a transaction and see the full attack surface that can be exploited.”