380K bank cards allegedly. Check your bank accounts if you booked in the last two weeks according to below.
https://www.msn.com/en-gb/news/newsmanchester/british-airways-hack-380000-customers-have-bank-card-details-stolen/ar-BBMY18u

LOL, there is no such thing as safe computing, there never will be unless you build you own hardware and write your own entire software stack (including compiler) FROM SCRATCH. This has been known since before outside the military since 1983, as demonstrated by Ken Thompson, with a proof: Why You Shouldn't Trust Ken Thompson (https://community.cadence.com/cadence_blogs_8/b/breakfast-bytes/posts/why-you-shouldn-t-trust-ken-thompson).

Original Paper:Reflections on Trusting Trust To (https://www.archive.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf): what extent should one trust a statement that a program is free of Trojan horses? Perhaps it is more important to trust the people who wrote the software.

He references a much earlier finding about this know flaw, and in virtually every computer system ever produced is vulnerable.

Alex Cruz, British Airways' chairman and chief executive, said: "We are deeply sorry for the disruption that this criminal activity has caused. We take the protection of our customers' data very seriously."
But not seriously enough!

Of course, the Board of BA (and the Director of IT in particular) must be very relieved that this is 'criminal' activity as then it's not their fault and no one will have to lose their gold plated job, company car and pension. :D

But not seriously enough!


Not seriously at all, I would say. Even now, after the breach, their credit card payment page is lacking some basic measures to keep data entered on it safe from 3rd parties...https://cimg7.ibsrv.net/gimg/www.gmforum.com-vbulletin/1200x744/dmdbbtxvaaigaji_57daecf7ca3ec7a00fc192c9bb6426fbf9ca0270.jpe g
https://cimg3.ibsrv.net/gimg/www.gmforum.com-vbulletin/1199x788/dmdbcqcvsaavn_i_a05620c7acf0729b9195bce1854eda7b7492dfda.jpe g

You could do it from the inside. Just saying

LOL, there is no such thing as safe computing, there never will be unless you build you own hardware and write your own entire software stack (including compiler) FROM SCRATCH. This has been known since before outside the military since 1983, as demonstrated by Ken Thompson, with a proof: Why You Shouldn't Trust Ken Thompson (https://community.cadence.com/cadence_blogs_8/b/breakfast-bytes/posts/why-you-shouldn-t-trust-ken-thompson).

Original Paper:Reflections on Trusting Trust To (https://www.archive.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf): what extent should one trust a statement that a program is free of Trojan horses? Perhaps it is more important to trust the people who wrote the software.

He references a much earlier finding about this know flaw, and in virtually every computer system ever produced is vulnerable.

What makes you think building/writing it yourself will make it safer? Isolated systems can be made safe/secure, but they generally aren't very useful for connected applications...

A little light reading from El Reg to shed some more light on the issue:

https://www.theregister.co.uk/2018/09/06/british_airways_hacked/

The standard of BA's IT across a number of areas has been shown to be well below par over the last couple of years or so.

There also seems to be a lack of serious ownership of the issues by BA too but will any heads roll?

The heads have already rolled, the IT department was outsourced a while ago.

BigDotStu is right - as soon as you connect to the outside world your system integrity is compromised. You might have written it yourself but eventually someone cleverer that you is going to find the loophole you don't know anything about. Unfortunately in this day and age not being connected isn't a practical option.

Of course they are sorry, GDPR and the new scale of fines available for incidents like this will make them very sorry indeed.

From The Register article: “The biz, which bills itself as the world's favorite airline,”

BA hasn't billed itself as that for about 25 years or so. I think they know that wouldnt stand up nowadays.

The heads have already rolled, the IT department was outsourced a while ago.
Yes it was and I was one of the staff who lost their job. It was outsourced to TATA in Chennai, India. Since then there have been a number of IT failures but the management who were responsible for the outsourcing (and are still there) continue to put out the line that the outsourcing is not responsible. I've seen reports of staff in callcentres and IT service centres in 3rd world countries who are selling customer data to criminal entities.

I have just moved my phone/broadband service and it turns out the new provider outsources their support to India. I am now receiving an average of 5 calls per day from scammers reporting that my broadband/pc/router/tablet/phone has a problem that they can fix remotely. The last call today was from a woman with a sub-continent accent (with callcentre noise in the background) claiming to be from the Telephone Preference Group( note not Telephone Preference Service - the correct organisation) asking for personal/financial details. As I ported my number over from my previous supplier and have been a subscriber to TPS for years I'm pretty sure it is not coincidence that I'm now known to an Indian callcentre and am receiving these calls.

Half a billion quid fine, so I'm hearing.

What realy concerns me is what exactly has been stolen. If full personal data such as DOB, address, etc. is now in the hands of crooks, they may use it in the future. It is ID theft that I would imagine is the biggest threat. Credit cards may be replaced but what can we now do to protect ourselves against the fact that our ID`s may be used for all kinds of mischief.
GDPR and all that fuss and what do you get, a monumental cockup. Can we please have the old IATA paper ticket and the travel agent back. I`d rather pay more than end up being cloned by some bandid and his Ipad.

What realy concerns me is what exactly has been stolen. If full personal data such as DOB, address, etc. is now in the hands of crooks, they may use it in the future.

Name, email address, credit card details including (unbelievably) CVV.

That is what you get when you outsource your IT department to cut wages. BA managers thought they were being smart when they made scores of experienced IT personnel redundant, and replaced them with inexperienced staff. It just goes to show that there is a lot of truth in cliches such as, when you pay peanuts you get monkeys. BA are finding out the hard way that having well-trained, loyal, well-paid staff, is better than having an outsourced company over which you have no control of standards, training and personnel. BA has learned nothing from the shambles that is outsourcing, which has created havoc in both the public and private sectors. What do BA managers care, it is only reputation, business, and ultimately jobs that are going to suffer the consequences. They managers will be long gone in to the distance, business degrees in hand, when that happens.

"BA managers thought they were being smart", ultimate contradiction in terms

Sadly, I can't see that changing their approach. They will continue to presume that it is someone else's fault.

Half a billion quid fine, so I'm hearing.


Always wondered....

Is that used to compensate ' victims' or would, in this case, BA, have to cough up for that as well ??

Only asking because there appear to be no details of who keeps the fines or what the money is used for when companies such as Miccrosoft, Google, HSBC, etc, get fined $ billions by different governments and statutory authorities.

Always wondered....

Is that used to compensate ' victims' or would, in this case, BA, have to cough up for that as well ??

Only asking because there appear to be no details of who keeps the fines or what the money is used for when companies such as Miccrosoft, Google, HSBC, etc, get fined $ billions by different governments and statutory authorities.

I believe it goes back to the treasury, then it's up to individuals to sue the company. Nice use of my pension money.

Penny wise and pound moronic.

In the antipodes, despite the legislation relating to the use of biometrics and personal data yet to pass through the parliament, the other 'best airline management' are up to this...

https://www.qantas.com/au/en/travel-info/travel-advice/facial-recognition.html

https://www.smh.com.au/business/companies/your-face-will-be-your-passport-sydney-airport-to-trial-biometrics-20180221-p4z14p.html

Ever slow on the uptake it seems there is little reaction to this abuse of personal information by two corporate (almost) monopolies, but in news just to hand the surf is up at Bondi.

It is a paradox that since law enforcement are powerless against the majority of cybercrimes due to their cross-border behaviour (long article in last weekends Sunday Times Magazine), the governments have through GDPR decided on the easier route of fining the victims instead of going after the perpetrators. Yes, BA is a victim here as well, and an easy target for some more taxes under a different name.

I agree, and I am a BA employee. The GDPR regulations cannot legislate on cross boarder hacks but will fine those who are victims. However, outsourcing to IT centres abroad increases that risk as it's more difficult to control what goes on - no need to dispute that as it is an obvious fact. IT centres in other countries are not bound by UK law apart from the contract they sign with the UK company. For balance, I have no idea if the hack was due to IT being outsourced but I'm sure that the tech guys abroad won't be fined, it will be the UK based BA company.

To broaden the subject (sorry for the thread keep), why has Cruz still got his job? Don't BA have non-execs who are supposed to monitor the CEO etc ? IAG ) are making unbelievable profits (lets face it BA is making the money) but the board are allowing one disaster after another. In many industries Cruz would have gone by now, so why is he still CEO ?

I agree, and I am a BA employee. The GDPR regulations cannot legislate on cross boarder hacks but will fine those who are victims. However, outsourcing to IT centres abroad increases that risk as it's more difficult to control what goes on - no need to dispute that as it is an obvious fact. IT centres in other countries are not bound by UK law apart from the contract they sign with the UK company. For balance, I have no idea if the hack was due to IT being outsourced but I'm sure that the tech guys abroad won't be fined, it will be the UK based BA company.

To broaden the subject (sorry for the thread keep), why has Cruz still got his job? Don't BA have non-execs who are supposed to monitor the CEO etc ? IAG ) are making unbelievable profits (lets face it BA is making the money) but the board are allowing one disaster after another. In many industries Cruz would have gone by now, so why is he still CEO ?

Great question Dear chap, but unfortunately accountability exists in name only.
They pocket the benefit from the destruction and outsourcing of staff, they then apply a contract remedy when discovered.
Would respectfully disagree with some posters, BA are not the victim. There would most certainly have been internal dissent to this decision, but the 'savings' and therefore personal benefit outweighed any consideration of the security of the the customer details.

Seems that BA could be facing a fine of £500 million. Looks like outsourcing is not the cheapest option after all.
As a shareholder, I would be asking why the CEO is still in position, after the second catastrophic IT failure in two years.

You could do it from the inside. Just saying

That's often how it's done.

I'm sure that the tech guys abroad won't be fined, it will be the UK based BA company.

....... IAG ) are making unbelievable profits (lets face it BA is making the money) ......


i) But BA is just a brand, bereft of legal autonomy. It is IAG, a Spanish based EU company which owns and uses the BA brand, which will foot the bill.

¡¡) Can you provide chapter and verse on the extent to which BA is raking in the euro and therby keeping Iberia, Vueling, AL, Level afloat?

Are they PCI Compliant?

https://www.pcicomplianceguide.org/faq/

Q1: What is PCI?A: The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment.The Payment Card Industry Security Standards Council (PCI SSC) was launched on September 7, 2006 to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with a focus on improving payment account security throughout the transaction process. The PCI DSS is administered and managed by the PCI SSC (www.pcisecuritystandards.org (https://www.pcisecuritystandards.org/)), an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB.). It is important to note that the payment brands and acquirers are responsible for enforcing compliance, not the PCI council. A copy of the PCI DSS is available here (https://www.pcisecuritystandards.org/security_standards/documents.php). Back to Top (https://www.pcicomplianceguide.org/faq/#)

While they may well decide that outsourcing IT was a false economy (a 500 million quid fine can do that - not to mention the cost to the brand image), it's a whole lot harder to bring IT back inhouse than it was to outsource it. This isn't like cleaning the restrooms - it takes months, even years, and large bags of money to build the IF infrastructure back to where it needs to be for a major airline.
Heads should roll. Not that they will, but they should.

Are they PCI Compliant?
Probably not. Yet, they probably have a certificate from one of the big 5 consulting firms saying that they are.
Most airlines do dumb stuff that directly contradict some of the PCI-DSS requirements, but due to how audits are generally focused on ticking boxes on checklists they can continue including 3rd party trackers, chatbots, and key loggers on their payment pages.

I did a short writeup on this a few months ago, you will find it here: https://huagati.********.com/2018/05/things-you-probably-dont-want-to-do-on.html
(replace asteriskes with b_l_o_g_s_p_o_t without underscore... for some reason the forum software keeps censoring that URL)

It includes examples from a bunch of other airlines, but BA was not included in my list back then. However, earlier in this thread I posted a fresh example from BA's website as of yesterday:
https://www.pprune.org/rumours-news/613073-ba-hacked-but-they-re-deeply-sorry.html#post10243194

I've seen offshoring first hand through a previous job, it was a total disaster however getting anyone from management to admit as much was impossible.

Firstly, a lot of the really good people from cheaper countries emigrate to Europe, North America, Singspore etc. where they can earn more money. So, in choosing to offshore, away any company is missing out on some of the best people from the country they're offshoring to.

Secondly, the offshoring "partner" (i.e. consultancy firm) had a name beginning with an "I". A family member who works for one of the better consultancy firms turned the air blue when he heard their name.

A lot of offshoring firms start by putting good* people in placed for about three months, then replace the. with people who can't string a sentence together in English.

All of this is before face culture, corruption and other nasties, if the offshore bods make a hash out of things, don't expect them to admit it or tell you what went wrong so it can be fixed. A lot of them have fake qualifications too, so don't expect them to know what they're doing.

Offshoring tends to be preceded by voluntary redundancy, a lot of people who put their name forward do so because they'll have no problem getting a job elsewhere, or because they fancy an early retirement. Where I was, there were people practically begging for voluntary each time it came up most of them had done 25 years plus which would have meant in most cases a six-figure pay off.

As it turned out, in the end a few managers seemed to begin to realise it wasn't working. So they bought in a UK consultancy firm to run some projects at company locations in the UK. They ended up paying over £500/day for grads straight out of uni who needed somewhere to cut their teeth. Paying to train another company's staff, you couldn't make it up.

Unsurprisingly, there were some high-profile IT cock-ups...

*When I say "good", I mean distinctly average and that's just their language ability...

...why has Cruz still got his job? .... IAG ) are making unbelievable profits..., so why is he still CEO ?
I think you answered your own question. Customers? Staff? We'd outsource them if we could. Our job is to sit astride the cash flow, taking a little sliver off it as it passes through our hands. Modern management

Anyone using the BA booking website will recognise all sorts of inconsistencies, bugs, page crashes, "we cannot perform that action at this time" messages, and similar, far more since the operation was outsourced than before.

If they can't get the basic logic of the application right, it strains credulity that the IT team nevertheless are competent enough to make the whole thing adequately secure. Possibly the Information Commissioner will ask Alex Cruz to reconcile these two aspects...

Unfortunately most managers treat IT as they would the water supply or the paper towels in the toilets, something to be cut as much as possible to increase the bottom line, thus ensuring their bonus. In most cases IT is the business, banks being a prime example, they're all just IT companies that move money around now. Because they don't understand IT they don't see it as important, and until they do things like this will continue to happen. Witness the rush to cloud computing - which is just your data on someone else's computer, and when it dies you're stuffed.
But hey, they still all get their golden parachutes and then move on to the next victim.

Name, email address, credit card details including (unbelievably) CVV.

My understanding is that by law, a CVV cannot be logged or stored in any way.

Obviously those responsible at BA did not carry out "due diligence" before awarding a contract to the outsourced IT company.

This could be the downfall of BA, not just because of the size of any fine imposed, but because of the loss of confidence of their customers. I, for one, won't be passing them any credit card details anytime soon.

From what has been said, there is no indication they were storing the CVVs. The attack appears to have compromised the front end and transmitted details to a third-party as they were entered. Thus leaking the CVV (and any other payment data entered during the transaction) but not allowing access to any stored data.

This seems to be a decent shot at what happened

BBC Technology page

BA has not revealed any technical details about the breach, but cyber-security experts have some suggestions of possible methods used. Names, email addresses and credit card details including card numbers, expiry dates and three-digit CVV codes were stolen by the hackers. At first glance, they appear to give no details about the hack, but by "reading between the lines", it is possible to infer some potential attack routes, says cyber-security expert Prof Alan Woodward at the University of Surrey.

Take BA's specification of the exact times and dates between which the attack occurred - 22:58 BST, 21 August 2018 until 21:45 BST, 5 September 2018 inclusive."They very carefully worded the statement to say anybody who made a card payment between those two dates is at risk," says Prof Woodward ."It looks very much like the details were nabbed at the point of entry - someone managed to get a script on to the website."
This means that as customers typed in their credit card details, a piece of malicious code on the BA website or app may have been furtively extracting those details and sending them to someone else.

Prof Woodward points out that this is an increasing problem for websites that embed code from third-party suppliers - it's known as a supply chain attack.Third parties may supply code to run payment authorisation, present ads or allow users to log into external services, for example.Image copyright Ticketmaster Image caption Popular events ticketing website Ticketmaster was hit with a data breach earlier this year Such an attack appeared to affect Ticketmaster recently, after an on-site customer service chatbot caused a breach affecting up to 40,000 UK users.Without further details, there is no way of knowing for sure if something similar has happened to BA. Prof Woodward points out it may just as easily have been a company insider who tampered with the website and app's code for malicious purposes.Because CVV data, the three-digit security code on credit and debit cards, was also taken in the attack, it is indeed likely the details were lifted live, according to Robert Pritchard, a former cyber-security researcher at GCHQ and founder of private firm The Cyber Security Expert.

This is because CVV codes are not meant to be stored by companies, though they may be processed at payment time."This means it was either a direct compromise of their... booking site, or compromise of a third party provider," he told the BBC.Prof Woodward added that private firms using third party code on their websites and apps must continually vet such products, to ensure weak points in security don't emerge."You can put the strongest lock you like on the front door," he said, "but if the builders have left a ladder up to a window, where do you think the burglars will go?"

Anyone know how widespread this kind of 'insecurity' is. Just a day or two ago
I paid my electricity bill using the suppliers website. I realise now that I could (should ?)
have paid via my online banking which is supposed to be really secure (dongle & all).
The article by kristofera is quite worrying.

Nothing is secure TBH - it's like code-breaking or the radar wars during WW2

The Bad guys break the code, the good guys improve things - but it never lasts .

The world (outside NK) is totally connected, too many brains at work, too many ways in, too many lazy people (remember a big ENIGMA break was the realisation that operators often signed off with "HH" - Heil Hitler..), too much incentive if you are inside to join the Dark Side.....................................

All you can do is stay alert and use the maximum amount of security you can

About the potential half billion fine. It could well be written into the outsourcing contract that any fine etc be paid by the outsourcing company and not BA. So other than reputational damage it could be BA walks away scot free..

G

About the potential half billion fine. It could well be written in.to the outsourcing contract that any fine etc be paid by the outsourcing company and not BA. So other than reputational damage it could be BA walks away scot free..

Except facing a bill of this size would leave the outsourcing company bankrupt and then BA would still have to pay

Possibly we approach the point where your details as an air traveller who actually purchases stuff is worth more than the fare paid?

Are they PCI Compliant?

I would be utterly appalled if they weren't - unless they've bullied their acquirer into submission on the basis of their scale and throughput (aka the richness of the pickings for the acquirer). They should at any rate have a shedload of PCI-DSS auditors all over them at the minute. I'm not sure that outsourcing IT transfers the responsibility, either.

Is there any news on any individuals who have had money stolen from their credit cards.

Posted this on the AAR thread...

I travel all the time like many on here and will happily moan about using Ryanair - but most of the time they will get me there on time, no issues. I've used them 30-40 times in the last 18 months and they are rarely late, if a bit uncomfortable.

I have used BA twice in the last year - first time a return to TLV; there was a total baggage system failure. And now my second trip to NCL, this happens. It’s not really good enough is it?

I didn't lose any money (I've seen some pictures on social media of affected transactions). I did however block my card before going travelling again as banks don’t send cards to hotels or other locations which aren’t your home. In the mean time I still have to pay for flights and hotels on my personal rather than business card. Frustrating.

As for Cruz, I'm not really sure how he still has a job - he seems to be made of teflon over the last couple of years. Aside from strong financial performance, the airline has regressed into a lower division when it comes to product.

I really don't want to defend BA, but...

I have used BA twice in the last year - first time a return to TLV; there was a total baggage system failure.

...I don't think that one can be blamed on them. I'd imagine all airlines were affected. Equally...

And now my second trip to NCL, this happens. It’s not really good enough is it?

...every company is hackable. BA's loss isn't even particularly big. Heartland Payment Systems lost 130 million cards, TKMaxx lost 94m and Sears lost 90m. The best security techniques will eventually be better by those that value the data hidden away. With the information revealed so far, I've a good idea what might have happened, and many companies would be at risk of a similar attack.

I did however block my card before going travelling again as banks don’t send cards to hotels or other locations which aren’t your home.

American Express will, on some accounts. In fairness, your do pay handsomely for the services they offer, but they can be good value.

Once again, omnishambles seems to sum up BA’s operation. At least it’s never a dull moment working there. Like many of the staff, I often wonder what we could have achieved had we been led by decent management. But then, you only have to look at the calibration of politicians running the country to see that it must be a cultural thing.

Gone are the days when you could go into a BA shop and pay cash or write a cheque for you flight!

I work in IT and unfortunately the cost cutting is rampant. Everything is being moved overseas (not that I am saying they are any less capable) but the testing time lines have been trimmed to almost non existent. There was a time when we used to say the testing of our code should be 10 times the actual writing time. Unfortunately, testing is one of the items that has been stripped to the core. Automated testing can NOT match personal testing (rant over). TVDH

I have visited a few offshore IT establishments and their security has to be seen to be believed. My car was inspected including the underside where the security chap used a pole with a mirror to check for goodness knows what. I doubt he would have recognised anything out of the ordinary. My team were then met by another security bloke who was 5 foot one and weighed about 50 kilos. He sported a baseball cap with a swastika and the work "Security". The symbol is a Hindu good luck charm but my colleagues and I had a little bit of trouble keeping a straight face. We were searched and the camera on our mobiles was spotted. This was resolved (I kid you not) by placing a piece of sticking plaster over the lens and we were then allowed to take our phones on site. The camera lenses on our laptops were ignored.

The following day, we held our phones in our hands above our heads while being searched and walked in minus the sticking plasters.

B Fraser, I know the feeling. Worked in India rolling out software. Was not allowed to take a pen in to the call centre in case I wrote down a credit card number!! Despite the fact that I had FULL admin privileges to the entire companies databases :-) ...... not that the databases held credit card details (but you get my drift). The most worrying thing about this "breach" is that CVV details should NEVER be held!

I also noticed that all of the laptops / desktops used by the staff had USB ports.

:ugh:

The most worrying thing about this "breach" is that CVV details should NEVER be held!

There's no evidence that they were stored.

DaveReidUK

NOT stored - sorry my mistake - but stolen at source, nasty code, a key stroke logger. It seems a third party plugin had this malicious code.

I also noticed that all of the laptops / desktops used by the staff had USB ports.

:ugh:

Do you want them to buy special ones without them? Much simpler just to buy standard hardware and lock down the ports.

Far better to have the IT wallah remove the USB port cards. Ports can be re-enabled in software.

Far better to have the IT wallah remove the USB port cards.

On a laptop ? You're kidding, of course.

Ports can be re-enabled in software.

If your users have admin access to policies on your PCs, then the presence or absence of USB ports is the least of your problems. :O

What I'd love to know is as this appears to be an "internal" 3rd party hack, who the hell is going to investigate it?

I work in networking in the US. You do NOT want me to start telling stories about security breaches. I'll share one. Last Nov I was asked to go onsite at the federal IRS office in a large US southern state. I went to some of the storage systems where they keep taxpayer records. I typed in the default root password for the machine and on 7 of 11 of the systems - I was into their storage subsystem as root login. I told the on-site wunderkind who had to be all of 19 years old. He said they had already 'hardened them'. I said it needs to be harder than hard. They also have offsite management networks that breaches the comms firewall with no VPN. Oye.....

https://www.bbc.co.uk/news/technology-45481976
"A cyber-security firm has said it found a malicious script injected into the British Airways website, which could be the cause of a recent data breach that affected 380,000 transactions (https://www.bbc.co.uk/news/uk-england-london-45440850).
A RiskIQ researcher analysed code from BA's website and app around the time when the breach began, in late August.
He claimed to have discovered evidence of a "skimming" script designed to steal financial data from online payment forms.
BA said it was unable to comment.

As luck would have it, I had booked a ticket with BA at just the wrong moment. Result? The bank has cancelled my card (but didn't bother to tell me), and is re-issuing. From BA? An apologetic email or even a snail mail letter (since I am a BA loyalty card holder)? Nothing, other than the 'very sorry' blanket apology.

As has been pointed out earlier, BA is merely an arm of IAG these days, and it shows. In the same way as many of our railway companies are now foreign-owned and offering a less than satisfactory service, but nevertheless raking in lots of Sterling.

Bang goes the staff bonus. Even though its not their fault...again.

BBC web news (https://www.bbc.co.uk/news/technology-45481976)
RiskIQ said the malicious script consisted of just 22 lines of code. It worked by grabbing data from BA's online payment form and then sending it to the hackers' server once a customer hit the "submit" button.

BA used to be described as a pension scheme that ran an airline. These days to run any modern, efficient company you need to be an IT company that runs an airline. The flying bit is old hat and much the same as when I was a despatcher and ops planner in the early 90s. The clever bit is selling the seats and handling the complexity of bookings, check-in, and third party sales (hotels, car-hire, fast-track security etc.) as efficiently and effectively as possible. Which takes a great in-house IT team that have loads of experience in an airline, not a mars bar factory. Outsourcing the IT is like outsourcing the aircraft, crews and customer service - but maybe that's what BA wants to do, while sitting on a valuable pile of slots. Maybe they should just close the whole lot down and lease the slots whith a couple of people collecting the money and passing it on to the pension fund and government taxes. When I worked there we joked that if we sold all the assets and invested the money the business would be far more profitable.
On the technical side of this breach it looks like BA is in breach of the Payment Card Industry rules (PCI DSS) by having multiple externally linked scripts running on the payment page where none are allowed. The hackers just injected another script that skimmed off the details (so I read from IT sources). This must make them liable for a huge Information Commissioner's Office fine under GDPR.

In the mid-90s, I was working for a very large high street retailer known throughout the UK. With (then) over 900 shops of various brands, they relied utterly on their IT (of which I was a contractor). Whilst I was there, I saw them downgrade the importance of the whole department. As the demands on us grew, so they ignored what we were telling them.

One week, the data network of the head office collapsed under the strain. Once fixed (three days later) they came hunting. My team and I showed them the weekly reports we had been sending them warning of the overload. They ignored the warnings until the network collapsed under the weight of traffic we had been warning about.

They all take IT for granted - even when it is 100% critical to their operation, as Blackfriar puts it.

RiskIQ said the malicious script consisted of just 22 lines of code. It worked by grabbing data from BA's online payment form and then sending it to the hackers' server once a customer hit the "submit" button.

It may be a naive question, but if the offending script has been identified and examined, would it not contain pointers to the culprits' server that it had been sending the captured credit card details to ?

It may be a naive question, but if the offending script has been identified and examined, would it not contain pointers to the culprits' server that it had been sending the captured credit card details to ?
It does: all data was sent to a cloud hosting site/VPS in Lithuania. Neither BA or British law enforcement bothered to contact the hosting company, instead it was brought to their attention by a member of the public several days after BA issued their alert.
https://www.scmagazineuk.com/amp/updated-bawayscom-hosting-company-not-contacted-police-regarding-ba-hack-investigation/article/1492560

It does: all data was sent to a cloud hosting site/VPS in Lithuania. Neither BA or British law enforcement bothered to contact the hosting company, instead it was brought to their attention by a member of the public several days after BA issued their alert.
https://www.scmagazineuk.com/amp/updated-bawayscom-hosting-company-not-contacted-police-regarding-ba-hack-investigation/article/1492560

Those pointers can easily be forged. The shear amount of forensic investigation that is involved in determining the source (which can often never be definitively determined) is beyond the scope of one single country or all 'cybersecurity' firms in collaboration. The hosting company may simply have been the first stop in data delivery to unknown parties in unknown countries. Examining the script is also likely non-conclusive. Professionals put inferences in malware to deliberately deceive and obfuscate the originator.

Those pointers can easily be forged. The shear amount of forensic investigation that is involved in determining the source (which can often never be definitively determined) is beyond the scope of one single country or all 'cybersecurity' firms in collaboration. The hosting company may simply have been the first stop in data delivery to unknown parties in unknown countries. Examining the script is also likely non-conclusive. Professionals put inferences in malware to deliberately deceive and obfuscate the originator.
Yes, but IMHO, the first thing they should have done was to secure that VPS and check if it contains any leads to where it was accessed from or where it was forwarding the data to.

Waiting for several days and leaving it up and online doesn't sound like there was much of an investigation in the first place.

Yes, but IMHO, the first thing they should have done was to secure that VPS and check if it contains any leads to where it was accessed from or where it was forwarding the data to.

Waiting for several days and leaving it up and online doesn't sound like there was much of an investigation in the first place.

I don't disagree. But, what they should have done is reported to law enforcement before they took any action. So which LEA would whomever discovered the breech have contacted given the outsource? Laws vary wildly between sovereign nations on this matter. And it takes years to analyze. The only thing in the general poplulace favor now is that there is such a glut of credit/bank card data on the black market, that the price is so low and the odds of your account being taken advantage of is now in your favor. Sad.

The only thing in the general poplulace favor now is that there is such a glut of credit/bank card data on the black market, that the price is so low and the odds of your account being taken advantage of is now in your favor. Sad.
From the attacker's perspective, the outcome of the BA hack is a total failure. Most of the cards they were able to get details on have or will be cancelled and reissued. If BA had not gone public with it (some companies prefer to try to cover up this kind of incidents), or if the attackers had removed the malicious script earlier then the stole card details would remain valid for a longer period of time.

There's reports surfacing that the malware concerned was injected into a third party's customer feedback code library that BA were using (carelessly) on their website. When your browser downloaded BA's page, that in turn would go fetch the code from the third party. The mistake BA made was to do that on payment pages too. Someone has hacked the third party, so BA were unwittingly bringing in the hacked code from there whilst also asking you for credit card details, etc. The hacked third party code, as part of the web page BA composed, is free to access any data being typed on the page by customers. Bingo!

BA's failure was to make their web security only as good as that of all the third parties they fetched code from. Ooops.

It's the equivalent of booking a ticket by phone, and the vendor letting someone eavesdrop on the conversation whilst you read out your card number without taking too much care to check who that someone actually was, is, or could be.

It now looks like it's popping up all over the Internet, so BA may well not be the last we hear of this.

The only thing in the general poplulace favor now is that there is such a glut of credit/bank card data on the black market, that the price is so low and the odds of your account being taken advantage of is now in your favor. Sad.

Though I'd suggest that the value of a stolen credit card number is considerably increased if, as in this case, it's accompanied by a known CVV.

There's reports surfacing that the malware concerned was injected into a third party's customer feedback code library that BA were using (carelessly) on their website.

That was the case for Delta, Sears, Ticketmaster and many others. That has been the most common delivery mechanism for this type of scripts lately.

However, in BA's case, the malicious script was actually hosted on their own site, not on a 3rd party site.

That said, I think we will continue to see many more similar hacks, and since many airlines include script from 10-20 different third party hosts in their payment pages, I think we can expect more data leaks facilitated by 3rd party trackers/chatbots/etc.

Does anyone know the process for claiming? A good friend of mine made a booking in the 'window' and had a questionable transaction now being investigated and the relevant card closed. If it turns out to be related, we should like to know the right place to claim. Thanks.

Does anyone know the process for claiming? A good friend of mine made a booking in the 'window' and had a questionable transaction now being investigated and the relevant card closed. If it turns out to be related, we should like to know the right place to claim. Thanks.

If he had to dispute an unknown transaction on his card he contacts his bank or card provider - Which he has done.

They will cancel his card, they should negate the charge, and he will have to wait for a new card to be sent - Which is being done.
Any other cards he may have had stored on the BA payments page should also be cancelled.

He needs to be now mindful of further phishing attempts - Best to change email and bank online passwords,

If he is out of pocket for any expenses because of this data breach then also contact BA. https://www.britishairways.com/en-gb/information/incident/data-theft/latest-information

It seems there are now lawyers and websites out there now offering affected clients to make a compensation claim.
I assume on a no win no fee basis. Such as this one:
https://www.badatabreach.com/?gclid=CjwKCAjw54fdBRBbEiwAW28S9nK2b8ONYGIiKR0BZKMWS0o97wU_Y Zt7rF83j5S8AFUK51q2Lm0pSxoC-qIQAvD_BwE
Be careful of those - I would let the dust settle to see if BA makes, or is instructed to make an offer to all affected pax...

This is of interest
http://www.theweek.co.uk/96327/british-airways-data-breach-how-to-check-if-you-re-affected

Any other cards he may have had stored on the BA payments page should also be cancelled.


I have/had two cards stored on BA website. I used one of them during the period that security was compromised.

I contacted the issuers, and the card that I had *not* used was blocked and is being re-issued. However, the issuer for the card that I *did* use advised me:
1. there is currently no suspicious activity on the account (I can see this for myself via online banking)
2. their fraud prevention folk are on the case: it's Lloyds, and they do seem to be on the ball
3. there is currently no need to block the card.

I assume that if card issuers find they are losing money because of this incident they will simply send the bill to BA.

Isn't $x million enough profit? Whenever one increases quantity one reduces quality....not just BA scenario but maintenance of craft by overseas operations, also out to make a profit and take short cuts in so doing, not have the same standard of hiring staff with as good qualifications and care that home based personnel offer. One carrier exec said even if they lost 2 planes they would only lose 5% of market share in the short term........sums it all up so BA Qantas et al don't give a hoot and corporations in the last 20 years have been free to plunder regardless of community impact with the blessing of puppet democracies.

https://www.bbc.com/news/business-48905907
British Airways faces record £183m fine for data breach

I imagine that many people's first reaction to the £183m fine that the Information Commissioner plans to levy on British Airways will have mirrored mine - surely the decimal point must be in the wrong place?

After all the proposed penalty is roughly 367 times as high as the previous record fine, the £500,000 imposed on Facebook over the Cambridge Analytica scandal.

The difference, of course, is that the law has changed between the two incidents, with the arrival of a new law mirroring Europe's GDPR. This allows fines of up to 4% of annual turnover.

Now you might have expected the data regulator to be somewhat cautious at first in wielding this powerful new weapon but today's news will send a shiver down the spine of anyone responsible for cybersecurity at a major corporation.

The message is clear - if you don't treat your customers' data with the utmost care expect severe punishment when things go wrong.

British Airways certainly appears to be stunned. But then again it could have been worse: the full 4% of turnover would have meant a fine approaching £500m.

Their lack of passenger care is proven by their recent LOI for 737 Max. I certainly won't be flying on one, ever. A bit like I never flew on a DC10.

183M here and a couple hundred Mill with the future strike,and pretty soon we are talking real money.

They'll have to drop a couple of MAXs' from the order they've recently put in to Boeing.

I think you will find it was IAG and not BA that ordered all those MAXs.

I think you will find it was IAG and not BA that ordered all those MAXs.

I think you'll find that neither company ordered any MAX aircraft. A LOI is not an order.

They were warned.

pilotmike, you are indeed right!!!

I think you will find it was IAG and not BA that ordered all those MAXs.

And I think you'll find (LOI or otherwise) BA and IAG are the same bl**dy thing.

And I think you'll find (LOI or otherwise) BA and IAG are the same bl**dy thing.

..and I think you'll find in turn that statement will come as something of a surprise to many working at BA, Vueling, Iberia....

..and I think you'll find in turn that statement will come as something of a surprise to many working at BA, Vueling, Iberia....

From Wikipedia.
I've highlighted the pertinent sentence in bold for you.

International Consolidated Airlines Group, S.A., often shortened to IAG, is an Anglo-Spanish multinational (https://en.wikipedia.org/wiki/Multinational_corporation) airline holding company (https://en.wikipedia.org/wiki/Holding_company) with its registered office in Madrid, Spain and its operational headquarters in London, UK. It was formed in January 2011 after a merger agreement between British Airways (https://en.wikipedia.org/wiki/British_Airways) and Iberia (https://en.wikipedia.org/wiki/Iberia_(airline)), the flag carrier (https://en.wikipedia.org/wiki/Flag_carrier) airlines of the United Kingdom and Spain respectively. As British Airways was the larger company, those holding shares in British Airways at the time of the merger were given 55% of the shares in the new, merged company. British Airways and Iberia ceased to be independent companies and instead became 100% owned subsidiaries of IAG.

I admire your nerve, arguing with people who actually work for the company in question. :O

British Airways and Iberia ceased to be independent companies and instead became 100% owned subsidiaries of IAG.

Er, yes, but that doesn't mean that BA=IAG any more than it means IB=IAG (by that logic, BA=IB).

Oh Gawd - looks who's wading in now.

The hair has been sufficiently split.

I withdraw.

Oh Gawd - looks who's wading in now.

The hair has been sufficiently split.

Nice try, but I don't accept any responsibility for a poster's inability to understand how airline groupings work. :O

As luck would have it, I had booked a ticket with BA at just the wrong moment. Result? The bank has cancelled my card (but didn't bother to tell me), and is re-issuing. From BA? An apologetic email or even a snail mail letter (since I am a BA loyalty card holder)? Nothing, other than the 'very sorry' blanket apology.

As has been pointed out earlier, BA is merely an arm of IAG these days, and it shows. In the same way as many of our railway companies are now foreign-owned and offering a less than satisfactory service, but nevertheless raking in lots of Sterling.That "less than satisfactory service" could be because of the privatization of the railways from a former government!

That "less than satisfactory service" could be because of the privatization of the railways from a former government!
Thread derailed :ok: