Go Back  PPRuNe Forums > Flight Deck Forums > Rumours & News
Reload this Page >

BA hacked but they're 'deeply sorry'

Rumours & News Reporting Points that may affect our jobs or lives as professional pilots. Also, items that may be of interest to professional pilots.

BA hacked but they're 'deeply sorry'

Old 7th Sep 2018, 22:43
  #21 (permalink)  
 
Join Date: Sep 2017
Location: Europe
Posts: 1,674
Likes: 0
Received 0 Likes on 0 Posts
Penny wise and pound moronic.

In the antipodes, despite the legislation relating to the use of biometrics and personal data yet to pass through the parliament, the other 'best airline management' are up to this...

https://www.qantas.com/au/en/travel-...cognition.html

https://www.smh.com.au/business/comp...21-p4z14p.html

Ever slow on the uptake it seems there is little reaction to this abuse of personal information by two corporate (almost) monopolies, but in news just to hand the surf is up at Bondi.
Rated De is offline  
Old 7th Sep 2018, 22:46
  #22 (permalink)  
 
Join Date: Aug 2007
Location: Ireland
Posts: 207
Likes: 0
Received 0 Likes on 0 Posts
It is a paradox that since law enforcement are powerless against the majority of cybercrimes due to their cross-border behaviour (long article in last weekends Sunday Times Magazine), the governments have through GDPR decided on the easier route of fining the victims instead of going after the perpetrators. Yes, BA is a victim here as well, and an easy target for some more taxes under a different name.
vikingivesterled is offline  
Old 7th Sep 2018, 22:58
  #23 (permalink)  
 
Join Date: Apr 2003
Location: UK
Posts: 49
Likes: 0
Received 0 Likes on 0 Posts
I agree, and I am a BA employee. The GDPR regulations cannot legislate on cross boarder hacks but will fine those who are victims. However, outsourcing to IT centres abroad increases that risk as it's more difficult to control what goes on - no need to dispute that as it is an obvious fact. IT centres in other countries are not bound by UK law apart from the contract they sign with the UK company. For balance, I have no idea if the hack was due to IT being outsourced but I'm sure that the tech guys abroad won't be fined, it will be the UK based BA company.

To broaden the subject (sorry for the thread keep), why has Cruz still got his job? Don't BA have non-execs who are supposed to monitor the CEO etc ? IAG ) are making unbelievable profits (lets face it BA is making the money) but the board are allowing one disaster after another. In many industries Cruz would have gone by now, so why is he still CEO ?
Marty-Party is offline  
Old 7th Sep 2018, 23:02
  #24 (permalink)  
 
Join Date: Sep 2017
Location: Europe
Posts: 1,674
Likes: 0
Received 0 Likes on 0 Posts
Originally Posted by Marty-Party
I agree, and I am a BA employee. The GDPR regulations cannot legislate on cross boarder hacks but will fine those who are victims. However, outsourcing to IT centres abroad increases that risk as it's more difficult to control what goes on - no need to dispute that as it is an obvious fact. IT centres in other countries are not bound by UK law apart from the contract they sign with the UK company. For balance, I have no idea if the hack was due to IT being outsourced but I'm sure that the tech guys abroad won't be fined, it will be the UK based BA company.

To broaden the subject (sorry for the thread keep), why has Cruz still got his job? Don't BA have non-execs who are supposed to monitor the CEO etc ? IAG ) are making unbelievable profits (lets face it BA is making the money) but the board are allowing one disaster after another. In many industries Cruz would have gone by now, so why is he still CEO ?
Great question Dear chap, but unfortunately accountability exists in name only.
They pocket the benefit from the destruction and outsourcing of staff, they then apply a contract remedy when discovered.
Would respectfully disagree with some posters, BA are not the victim. There would most certainly have been internal dissent to this decision, but the 'savings' and therefore personal benefit outweighed any consideration of the security of the the customer details.
Rated De is offline  
Old 7th Sep 2018, 23:49
  #25 (permalink)  
 
Join Date: Apr 2009
Location: Darkest Lincs
Posts: 520
Likes: 0
Received 0 Likes on 0 Posts
Seems that BA could be facing a fine of £500 million. Looks like outsourcing is not the cheapest option after all.
As a shareholder, I would be asking why the CEO is still in position, after the second catastrophic IT failure in two years.
wowzz is offline  
Old 8th Sep 2018, 00:12
  #26 (permalink)  
 
Join Date: Jul 2013
Location: Australia
Posts: 268
Likes: 0
Received 4 Likes on 2 Posts
Originally Posted by Ex Cargo Clown
You could do it from the inside. Just saying
That's often how it's done.
RickNRoll is offline  
Old 8th Sep 2018, 00:16
  #27 (permalink)  
 
Join Date: May 2011
Location: Girona
Posts: 230
Likes: 0
Received 0 Likes on 0 Posts
BA no longer exists

Originally Posted by Marty-Party
I'm sure that the tech guys abroad won't be fined, it will be the UK based BA company.

....... IAG ) are making unbelievable profits (lets face it BA is making the money) ......

i) But BA is just a brand, bereft of legal autonomy. It is IAG, a Spanish based EU company which owns and uses the BA brand, which will foot the bill.

ĦĦ) Can you provide chapter and verse on the extent to which BA is raking in the euro and therby keeping Iberia, Vueling, AL, Level afloat?
BigFrank is offline  
Old 8th Sep 2018, 00:19
  #28 (permalink)  
 
Join Date: Jul 2013
Location: Australia
Posts: 268
Likes: 0
Received 4 Likes on 2 Posts
Are they PCI Compliant?

https://www.pcicomplianceguide.org/faq/

Q1: What is PCI?

A: The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment.The Payment Card Industry Security Standards Council (PCI SSC) was launched on September 7, 2006 to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with a focus on improving payment account security throughout the transaction process. The PCI DSS is administered and managed by the PCI SSC (www.pcisecuritystandards.org), an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB.). It is important to note that the payment brands and acquirers are responsible for enforcing compliance, not the PCI council. A copy of the PCI DSS is available here. Back to Top
RickNRoll is offline  
Old 8th Sep 2018, 02:17
  #29 (permalink)  
 
Join Date: Jul 2013
Location: Everett, WA
Age: 68
Posts: 4,177
Received 87 Likes on 45 Posts
While they may well decide that outsourcing IT was a false economy (a 500 million quid fine can do that - not to mention the cost to the brand image), it's a whole lot harder to bring IT back inhouse than it was to outsource it. This isn't like cleaning the restrooms - it takes months, even years, and large bags of money to build the IF infrastructure back to where it needs to be for a major airline.
Heads should roll. Not that they will, but they should.
tdracer is offline  
Old 8th Sep 2018, 02:44
  #30 (permalink)  
 
Join Date: Mar 2008
Location: Bangkok
Posts: 47
Likes: 0
Received 0 Likes on 0 Posts
Originally Posted by RickNRoll
Are they PCI Compliant?
Probably not. Yet, they probably have a certificate from one of the big 5 consulting firms saying that they are.
Most airlines do dumb stuff that directly contradict some of the PCI-DSS requirements, but due to how audits are generally focused on ticking boxes on checklists they can continue including 3rd party trackers, chatbots, and key loggers on their payment pages.

I did a short writeup on this a few months ago, you will find it here: https://huagati.********.com/2018/05...-to-do-on.html
(replace asteriskes with b_l_o_g_s_p_o_t without underscore... for some reason the forum software keeps censoring that URL)

It includes examples from a bunch of other airlines, but BA was not included in my list back then. However, earlier in this thread I posted a fresh example from BA's website as of yesterday:
BA hacked but they're 'deeply sorry'

Last edited by kristofera; 8th Sep 2018 at 03:04.
kristofera is offline  
Old 8th Sep 2018, 02:57
  #31 (permalink)  
 
Join Date: Apr 2012
Location: UK
Posts: 281
Likes: 0
Received 0 Likes on 0 Posts
I've seen offshoring first hand through a previous job, it was a total disaster however getting anyone from management to admit as much was impossible.

Firstly, a lot of the really good people from cheaper countries emigrate to Europe, North America, Singspore etc. where they can earn more money. So, in choosing to offshore, away any company is missing out on some of the best people from the country they're offshoring to.

Secondly, the offshoring "partner" (i.e. consultancy firm) had a name beginning with an "I". A family member who works for one of the better consultancy firms turned the air blue when he heard their name.

A lot of offshoring firms start by putting good* people in placed for about three months, then replace the. with people who can't string a sentence together in English.

All of this is before face culture, corruption and other nasties, if the offshore bods make a hash out of things, don't expect them to admit it or tell you what went wrong so it can be fixed. A lot of them have fake qualifications too, so don't expect them to know what they're doing.

Offshoring tends to be preceded by voluntary redundancy, a lot of people who put their name forward do so because they'll have no problem getting a job elsewhere, or because they fancy an early retirement. Where I was, there were people practically begging for voluntary each time it came up most of them had done 25 years plus which would have meant in most cases a six-figure pay off.

As it turned out, in the end a few managers seemed to begin to realise it wasn't working. So they bought in a UK consultancy firm to run some projects at company locations in the UK. They ended up paying over £500/day for grads straight out of uni who needed somewhere to cut their teeth. Paying to train another company's staff, you couldn't make it up.

Unsurprisingly, there were some high-profile IT cock-ups...

*When I say "good", I mean distinctly average and that's just their language ability...
Chris the Robot is offline  
Old 8th Sep 2018, 03:22
  #32 (permalink)  
 
Join Date: Jul 2007
Location: Auckland, NZ
Age: 79
Posts: 713
Likes: 0
Received 0 Likes on 0 Posts
Originally Posted by Marty-Party
...why has Cruz still got his job? .... IAG ) are making unbelievable profits..., so why is he still CEO ?
I think you answered your own question. Customers? Staff? We'd outsource them if we could. Our job is to sit astride the cash flow, taking a little sliver off it as it passes through our hands. Modern management
FlightlessParrot is offline  
Old 8th Sep 2018, 05:47
  #33 (permalink)  
 
Join Date: Oct 2002
Location: London UK
Posts: 7,523
Likes: 0
Received 3 Likes on 3 Posts
Anyone using the BA booking website will recognise all sorts of inconsistencies, bugs, page crashes, "we cannot perform that action at this time" messages, and similar, far more since the operation was outsourced than before.

If they can't get the basic logic of the application right, it strains credulity that the IT team nevertheless are competent enough to make the whole thing adequately secure. Possibly the Information Commissioner will ask Alex Cruz to reconcile these two aspects...

Last edited by WHBM; 8th Sep 2018 at 05:57.
WHBM is offline  
Old 8th Sep 2018, 08:17
  #34 (permalink)  
 
Join Date: Feb 2016
Location: Southport
Posts: 1,319
Likes: 0
Received 5 Likes on 4 Posts
Unfortunately most managers treat IT as they would the water supply or the paper towels in the toilets, something to be cut as much as possible to increase the bottom line, thus ensuring their bonus. In most cases IT is the business, banks being a prime example, they're all just IT companies that move money around now. Because they don't understand IT they don't see it as important, and until they do things like this will continue to happen. Witness the rush to cloud computing - which is just your data on someone else's computer, and when it dies you're stuffed.
But hey, they still all get their golden parachutes and then move on to the next victim.
andytug is offline  
Old 8th Sep 2018, 09:57
  #35 (permalink)  

Avoid imitations
 
Join Date: Nov 2000
Location: Wandering the FIR and cyberspace often at highly unsociable times
Posts: 14,403
Received 238 Likes on 118 Posts
Name, email address, credit card details including (unbelievably) CVV.
My understanding is that by law, a CVV cannot be logged or stored in any way.

Obviously those responsible at BA did not carry out "due diligence" before awarding a contract to the outsourced IT company.

This could be the downfall of BA, not just because of the size of any fine imposed, but because of the loss of confidence of their customers. I, for one, won't be passing them any credit card details anytime soon.
ShyTorque is online now  
Old 8th Sep 2018, 10:04
  #36 (permalink)  
 
Join Date: Mar 2008
Location: Stirling
Posts: 14
Likes: 0
Received 0 Likes on 0 Posts
From what has been said, there is no indication they were storing the CVVs. The attack appears to have compromised the front end and transmitted details to a third-party as they were entered. Thus leaking the CVV (and any other payment data entered during the transaction) but not allowing access to any stored data.
dtaylor1984 is offline  
Old 8th Sep 2018, 10:21
  #37 (permalink)  
 
Join Date: Aug 2018
Location: Derby
Posts: 0
Likes: 0
Received 0 Likes on 0 Posts
This seems to be a decent shot at what happened

BBC Technology page

BA has not revealed any technical details about the breach, but cyber-security experts have some suggestions of possible methods used. Names, email addresses and credit card details including card numbers, expiry dates and three-digit CVV codes were stolen by the hackers. At first glance, they appear to give no details about the hack, but by "reading between the lines", it is possible to infer some potential attack routes, says cyber-security expert Prof Alan Woodward at the University of Surrey.

Take BA's specification of the exact times and dates between which the attack occurred - 22:58 BST, 21 August 2018 until 21:45 BST, 5 September 2018 inclusive."They very carefully worded the statement to say anybody who made a card payment between those two dates is at risk," says Prof Woodward ."It looks very much like the details were nabbed at the point of entry - someone managed to get a script on to the website."
This means that as customers typed in their credit card details, a piece of malicious code on the BA website or app may have been furtively extracting those details and sending them to someone else.

Prof Woodward points out that this is an increasing problem for websites that embed code from third-party suppliers - it's known as a supply chain attack.Third parties may supply code to run payment authorisation, present ads or allow users to log into external services, for example.Image copyright Ticketmaster Image caption Popular events ticketing website Ticketmaster was hit with a data breach earlier this year Such an attack appeared to affect Ticketmaster recently, after an on-site customer service chatbot caused a breach affecting up to 40,000 UK users.Without further details, there is no way of knowing for sure if something similar has happened to BA. Prof Woodward points out it may just as easily have been a company insider who tampered with the website and app's code for malicious purposes.Because CVV data, the three-digit security code on credit and debit cards, was also taken in the attack, it is indeed likely the details were lifted live, according to Robert Pritchard, a former cyber-security researcher at GCHQ and founder of private firm The Cyber Security Expert.

This is because CVV codes are not meant to be stored by companies, though they may be processed at payment time."This means it was either a direct compromise of their... booking site, or compromise of a third party provider," he told the BBC.Prof Woodward added that private firms using third party code on their websites and apps must continually vet such products, to ensure weak points in security don't emerge."You can put the strongest lock you like on the front door," he said, "but if the builders have left a ladder up to a window, where do you think the burglars will go?"
friartuck is offline  
Old 8th Sep 2018, 10:40
  #38 (permalink)  
 
Join Date: Apr 2007
Location: moraira,spain-Norfolk, UK
Age: 81
Posts: 389
Likes: 0
Received 0 Likes on 0 Posts
Anyone know how widespread this kind of 'insecurity' is. Just a day or two ago
I paid my electricity bill using the suppliers website. I realise now that I could (should ?)
have paid via my online banking which is supposed to be really secure (dongle & all).
The article by kristofera is quite worrying.
esa-aardvark is offline  
Old 8th Sep 2018, 11:21
  #39 (permalink)  
 
Join Date: Aug 2018
Location: Derby
Posts: 0
Likes: 0
Received 0 Likes on 0 Posts
Nothing is secure TBH - it's like code-breaking or the radar wars during WW2

The Bad guys break the code, the good guys improve things - but it never lasts .

The world (outside NK) is totally connected, too many brains at work, too many ways in, too many lazy people (remember a big ENIGMA break was the realisation that operators often signed off with "HH" - Heil Hitler..), too much incentive if you are inside to join the Dark Side.....................................

All you can do is stay alert and use the maximum amount of security you can
friartuck is offline  
Old 8th Sep 2018, 12:14
  #40 (permalink)  
 
Join Date: Dec 2001
Location: Leeds, UK
Posts: 281
Likes: 0
Received 0 Likes on 0 Posts
About the potential half billion fine. It could well be written into the outsourcing contract that any fine etc be paid by the outsourcing company and not BA. So other than reputational damage it could be BA walks away scot free..

G
groundbum is offline  

Thread Tools
Search this Thread

Contact Us - Archive - Advertising - Cookie Policy - Privacy Statement - Terms of Service - Do Not Sell or Share My Personal Information

Copyright © 2023 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.