Incident Of The Week: British Airways Breach Leaks 380K Transactions

Airline Warns Of 'Illicit Activity' On Its Site, App

Add bookmark

Dan Gunderman

[Featured Photo: Nieuwland Photography/]

In the dynamic world of cyber security, breaches are both tightly guarded and, sadly, imminent.

Combing through data, market research and threat-defense efforts taken by enterprises can be a daunting task. Here at Cyber Security Hub, we both track the latest industry news and make it more navigable for the IT professional. Cyber Security Hub coverage extends outwards – as it helps enterprises batten down their proverbial hatches.

In this edition of “Incident of the Week,” we examine a recent data breach at British Airways (BA), which is the flag carrier and largest airline in the U.K. A reported 380,000 transactions made on the BA website and mobile app from Aug. 21 – Sept. 5 were compromised in the recent incident, prompting industry leaders and cyber security experts to warn consumers and enterprises about the threat of attacks across a number of industries.

According to the Travel Trade Gazette (TTG), the company’s Chief Executive, Alex Cruz, said the attack was “sophisticated, malicious (and) criminal.” Compromised data reportedly included names, addresses, email addresses, card numbers, expiration dates and CVV codes, although retailers are barred from storing the latter.

Cyber security company RiskIQ reportedly stated the attack was comparable to an online card-skimming exercise. Essentially, the cyber actors injected themselves between the buyer and BA during the transactions.

In analyzing the BA website and app, RiskIQ discovered 22 lines of malicious code injected on the company’s systems prior to the attack.

See Related: Incident Of The Week: Phishing Scam At Pa. Bank Exposes 50K Accounts

[Photo: Chris Dorney/]

The BA breach is similar to other attacks we’ve seen this year, insofar as carrying name recognition and impacting scores of consumers. However, unlike the Ticketmaster breach which zeroed in on a third party, BA-focused hackers built up a unique mechanism for their attack.

The airline further stated that global distribution systems (GDS) were not affected by the heist, but additional purchases (e.g., baggage) through the BA website or app could have been exposed.

Britain’s National Crime Agency and Information Commissioner’s Office (ICO) is investigating the attack, and the company could face exorbitant fines, due in part to the new General Data Protection Regulation (GDPR); that could mean a hefty expense of up to £500 million (or approximately $652 million). TTG placed BA revenue in 2017 at £12.2 billion.

It is also possible for BA to be the subject of class-action lawsuits because of the breach. For example, according to The Register, the firm SPG Law is contending that the airline has not gone far enough in remediation and should thus pay travelers for their inconvenience, distress and annoyance stemming from the breach.

See Related: Incident Of The Week: T-Mobile Data Breach Impacts 2M Customers

In reporting from Tech Radar, Yonathan Klijnsma, Head Researcher at RiskIQ, provided a concise comment on the depth of this cyber incident. He stated: “This attack is a highly targeted approach compared to what we’ve seen in the past with the Magecart skimmer. This skimmer is attuned to how British Airways’ payment page is set up, which tells us that the attackers carefully considered how to target this site in particular.”

Adrian Parkes, Chief Executive of the Guild of Travel Management Companies, told TTG that “these unfortunate incidents highlight the value of using a TMC (travel management company) to manage travel bookings for businesses of all sizes.”

He continued: “Perhaps most at risk of such data breaches are SMEs who tend to book their own travel, however, it’s essential they consider using a TMC for travel arrangements as their data will be handled securely and bookings will be protected.”

Further, in a statement to Wired on Tuesday, the airline did not comment on the (customized) exploitation of its data flow, saying: “As this is a criminal investigation, we are unable to comment on speculation.”

Be Sure To Check Out: Incident Of The Week: 567K Accounts Exposed In Cheddar's Restaurant Breach