Go Back  PPRuNe Forums > Flight Deck Forums > Rumours & News
Reload this Page >

BA hacked but they're 'deeply sorry'

Rumours & News Reporting Points that may affect our jobs or lives as professional pilots. Also, items that may be of interest to professional pilots.

BA hacked but they're 'deeply sorry'

Old 11th Sep 2018, 10:31
  #61 (permalink)  
 
Join Date: Dec 2004
Location: East Angular - apparently!
Posts: 740
Received 1 Like on 1 Post
As luck would have it, I had booked a ticket with BA at just the wrong moment. Result? The bank has cancelled my card (but didn't bother to tell me), and is re-issuing. From BA? An apologetic email or even a snail mail letter (since I am a BA loyalty card holder)? Nothing, other than the 'very sorry' blanket apology.

As has been pointed out earlier, BA is merely an arm of IAG these days, and it shows. In the same way as many of our railway companies are now foreign-owned and offering a less than satisfactory service, but nevertheless raking in lots of Sterling.
barry lloyd is offline  
Old 11th Sep 2018, 11:39
  #62 (permalink)  
 
Join Date: Feb 2002
Location: UK
Age: 58
Posts: 3,288
Received 13 Likes on 4 Posts
Bang goes the staff bonus. Even though its not their fault...again.
TURIN is offline  
Old 11th Sep 2018, 19:57
  #63 (permalink)  
Paxing All Over The World
 
Join Date: May 2001
Location: Hertfordshire, UK.
Age: 67
Posts: 10,016
Received 45 Likes on 37 Posts
BBC web news
RiskIQ said the malicious script consisted of just 22 lines of code. It worked by grabbing data from BA's online payment form and then sending it to the hackers' server once a customer hit the "submit" button.
PAXboy is offline  
Old 12th Sep 2018, 14:09
  #64 (permalink)  
 
Join Date: Nov 2013
Location: Somerset
Posts: 171
Received 0 Likes on 0 Posts
BA used to be described as a pension scheme that ran an airline. These days to run any modern, efficient company you need to be an IT company that runs an airline. The flying bit is old hat and much the same as when I was a despatcher and ops planner in the early 90s. The clever bit is selling the seats and handling the complexity of bookings, check-in, and third party sales (hotels, car-hire, fast-track security etc.) as efficiently and effectively as possible. Which takes a great in-house IT team that have loads of experience in an airline, not a mars bar factory. Outsourcing the IT is like outsourcing the aircraft, crews and customer service - but maybe that's what BA wants to do, while sitting on a valuable pile of slots. Maybe they should just close the whole lot down and lease the slots whith a couple of people collecting the money and passing it on to the pension fund and government taxes. When I worked there we joked that if we sold all the assets and invested the money the business would be far more profitable.
On the technical side of this breach it looks like BA is in breach of the Payment Card Industry rules (PCI DSS) by having multiple externally linked scripts running on the payment page where none are allowed. The hackers just injected another script that skimmed off the details (so I read from IT sources). This must make them liable for a huge Information Commissioner's Office fine under GDPR.
Blackfriar is offline  
Old 12th Sep 2018, 20:01
  #65 (permalink)  
Paxing All Over The World
 
Join Date: May 2001
Location: Hertfordshire, UK.
Age: 67
Posts: 10,016
Received 45 Likes on 37 Posts
In the mid-90s, I was working for a very large high street retailer known throughout the UK. With (then) over 900 shops of various brands, they relied utterly on their IT (of which I was a contractor). Whilst I was there, I saw them downgrade the importance of the whole department. As the demands on us grew, so they ignored what we were telling them.

One week, the data network of the head office collapsed under the strain. Once fixed (three days later) they came hunting. My team and I showed them the weekly reports we had been sending them warning of the overload. They ignored the warnings until the network collapsed under the weight of traffic we had been warning about.

They all take IT for granted - even when it is 100% critical to their operation, as Blackfriar puts it.
PAXboy is offline  
Old 12th Sep 2018, 21:33
  #66 (permalink)  
 
Join Date: Jan 2008
Location: Reading, UK
Posts: 15,430
Received 111 Likes on 60 Posts
RiskIQ said the malicious script consisted of just 22 lines of code. It worked by grabbing data from BA's online payment form and then sending it to the hackers' server once a customer hit the "submit" button.
It may be a naive question, but if the offending script has been identified and examined, would it not contain pointers to the culprits' server that it had been sending the captured credit card details to ?
DaveReidUK is offline  
Old 13th Sep 2018, 02:10
  #67 (permalink)  
 
Join Date: Mar 2008
Location: Bangkok
Posts: 47
Likes: 0
Received 0 Likes on 0 Posts
Originally Posted by DaveReidUK
It may be a naive question, but if the offending script has been identified and examined, would it not contain pointers to the culprits' server that it had been sending the captured credit card details to ?
It does: all data was sent to a cloud hosting site/VPS in Lithuania. Neither BA or British law enforcement bothered to contact the hosting company, instead it was brought to their attention by a member of the public several days after BA issued their alert.
https://www.scmagazineuk.com/amp/upd...rticle/1492560
kristofera is offline  
Old 13th Sep 2018, 02:54
  #68 (permalink)  
Thread Starter
 
Join Date: Mar 2015
Location: North by Northwest
Posts: 476
Likes: 0
Received 0 Likes on 0 Posts
Originally Posted by kristofera
It does: all data was sent to a cloud hosting site/VPS in Lithuania. Neither BA or British law enforcement bothered to contact the hosting company, instead it was brought to their attention by a member of the public several days after BA issued their alert.
https://www.scmagazineuk.com/amp/upd...rticle/1492560
Those pointers can easily be forged. The shear amount of forensic investigation that is involved in determining the source (which can often never be definitively determined) is beyond the scope of one single country or all 'cybersecurity' firms in collaboration. The hosting company may simply have been the first stop in data delivery to unknown parties in unknown countries. Examining the script is also likely non-conclusive. Professionals put inferences in malware to deliberately deceive and obfuscate the originator.
b1lanc is offline  
Old 13th Sep 2018, 03:02
  #69 (permalink)  
 
Join Date: Mar 2008
Location: Bangkok
Posts: 47
Likes: 0
Received 0 Likes on 0 Posts
Originally Posted by b1lanc
Those pointers can easily be forged. The shear amount of forensic investigation that is involved in determining the source (which can often never be definitively determined) is beyond the scope of one single country or all 'cybersecurity' firms in collaboration. The hosting company may simply have been the first stop in data delivery to unknown parties in unknown countries. Examining the script is also likely non-conclusive. Professionals put inferences in malware to deliberately deceive and obfuscate the originator.
Yes, but IMHO, the first thing they should have done was to secure that VPS and check if it contains any leads to where it was accessed from or where it was forwarding the data to.

Waiting for several days and leaving it up and online doesn't sound like there was much of an investigation in the first place.
kristofera is offline  
Old 13th Sep 2018, 03:25
  #70 (permalink)  
Thread Starter
 
Join Date: Mar 2015
Location: North by Northwest
Posts: 476
Likes: 0
Received 0 Likes on 0 Posts
Originally Posted by kristofera
Yes, but IMHO, the first thing they should have done was to secure that VPS and check if it contains any leads to where it was accessed from or where it was forwarding the data to.

Waiting for several days and leaving it up and online doesn't sound like there was much of an investigation in the first place.
I don't disagree. But, what they should have done is reported to law enforcement before they took any action. So which LEA would whomever discovered the breech have contacted given the outsource? Laws vary wildly between sovereign nations on this matter. And it takes years to analyze. The only thing in the general poplulace favor now is that there is such a glut of credit/bank card data on the black market, that the price is so low and the odds of your account being taken advantage of is now in your favor. Sad.
b1lanc is offline  
Old 13th Sep 2018, 05:23
  #71 (permalink)  
 
Join Date: Mar 2008
Location: Bangkok
Posts: 47
Likes: 0
Received 0 Likes on 0 Posts
Originally Posted by b1lanc
The only thing in the general poplulace favor now is that there is such a glut of credit/bank card data on the black market, that the price is so low and the odds of your account being taken advantage of is now in your favor. Sad.
From the attacker's perspective, the outcome of the BA hack is a total failure. Most of the cards they were able to get details on have or will be cancelled and reissued. If BA had not gone public with it (some companies prefer to try to cover up this kind of incidents), or if the attackers had removed the malicious script earlier then the stole card details would remain valid for a longer period of time.
kristofera is offline  
Old 13th Sep 2018, 07:38
  #72 (permalink)  
 
Join Date: Apr 2008
Location: UK
Posts: 368
Likes: 0
Received 0 Likes on 0 Posts
There's reports surfacing that the malware concerned was injected into a third party's customer feedback code library that BA were using (carelessly) on their website. When your browser downloaded BA's page, that in turn would go fetch the code from the third party. The mistake BA made was to do that on payment pages too. Someone has hacked the third party, so BA were unwittingly bringing in the hacked code from there whilst also asking you for credit card details, etc. The hacked third party code, as part of the web page BA composed, is free to access any data being typed on the page by customers. Bingo!

BA's failure was to make their web security only as good as that of all the third parties they fetched code from. Ooops.

It's the equivalent of booking a ticket by phone, and the vendor letting someone eavesdrop on the conversation whilst you read out your card number without taking too much care to check who that someone actually was, is, or could be.

It now looks like it's popping up all over the Internet, so BA may well not be the last we hear of this.
msbbarratt is offline  
Old 13th Sep 2018, 08:00
  #73 (permalink)  
 
Join Date: Jan 2008
Location: Reading, UK
Posts: 15,430
Received 111 Likes on 60 Posts
Originally Posted by b1lanc
The only thing in the general poplulace favor now is that there is such a glut of credit/bank card data on the black market, that the price is so low and the odds of your account being taken advantage of is now in your favor. Sad.
Though I'd suggest that the value of a stolen credit card number is considerably increased if, as in this case, it's accompanied by a known CVV.
DaveReidUK is offline  
Old 13th Sep 2018, 08:00
  #74 (permalink)  
 
Join Date: Mar 2008
Location: Bangkok
Posts: 47
Likes: 0
Received 0 Likes on 0 Posts
Originally Posted by msbbarratt
There's reports surfacing that the malware concerned was injected into a third party's customer feedback code library that BA were using (carelessly) on their website.
That was the case for Delta, Sears, Ticketmaster and many others. That has been the most common delivery mechanism for this type of scripts lately.

However, in BA's case, the malicious script was actually hosted on their own site, not on a 3rd party site.

That said, I think we will continue to see many more similar hacks, and since many airlines include script from 10-20 different third party hosts in their payment pages, I think we can expect more data leaks facilitated by 3rd party trackers/chatbots/etc.
kristofera is offline  
Old 18th Sep 2018, 19:09
  #75 (permalink)  
Paxing All Over The World
 
Join Date: May 2001
Location: Hertfordshire, UK.
Age: 67
Posts: 10,016
Received 45 Likes on 37 Posts
Does anyone know the process for claiming? A good friend of mine made a booking in the 'window' and had a questionable transaction now being investigated and the relevant card closed. If it turns out to be related, we should like to know the right place to claim. Thanks.
PAXboy is offline  
Old 19th Sep 2018, 07:57
  #76 (permalink)  
 
Join Date: Feb 2008
Location: UK
Age: 66
Posts: 647
Received 4 Likes on 4 Posts
Originally Posted by PAXboy
Does anyone know the process for claiming? A good friend of mine made a booking in the 'window' and had a questionable transaction now being investigated and the relevant card closed. If it turns out to be related, we should like to know the right place to claim. Thanks.
If he had to dispute an unknown transaction on his card he contacts his bank or card provider - Which he has done.

They will cancel his card, they should negate the charge, and he will have to wait for a new card to be sent - Which is being done.
Any other cards he may have had stored on the BA payments page should also be cancelled.

He needs to be now mindful of further phishing attempts - Best to change email and bank online passwords,


If he is out of pocket for any expenses because of this data breach then also contact BA. https://www.britishairways.com/en-gb...st-information

It seems there are now lawyers and websites out there now offering affected clients to make a compensation claim.
I assume on a no win no fee basis. Such as this one:
https://www.badatabreach.com/?gclid=...xoC-qIQAvD_BwE
Be careful of those - I would let the dust settle to see if BA makes, or is instructed to make an offer to all affected pax...

This is of interest
http://www.theweek.co.uk/96327/briti...ou-re-affected

Last edited by rog747; 19th Sep 2018 at 08:08.
rog747 is offline  
Old 19th Sep 2018, 10:03
  #77 (permalink)  
 
Join Date: Jan 2008
Location: Hove, England
Age: 58
Posts: 62
Received 0 Likes on 0 Posts
Originally Posted by rog747
Any other cards he may have had stored on the BA payments page should also be cancelled.
I have/had two cards stored on BA website. I used one of them during the period that security was compromised.

I contacted the issuers, and the card that I had *not* used was blocked and is being re-issued. However, the issuer for the card that I *did* use advised me:
1. there is currently no suspicious activity on the account (I can see this for myself via online banking)
2. their fraud prevention folk are on the case: it's Lloyds, and they do seem to be on the ball
3. there is currently no need to block the card.

I assume that if card issuers find they are losing money because of this incident they will simply send the bill to BA.
dastocks is offline  
Old 19th Sep 2018, 15:05
  #78 (permalink)  
 
Join Date: Apr 2009
Location: Toowoomba Australia
Age: 76
Posts: 22
Likes: 0
Received 0 Likes on 0 Posts
Outsource

Isn't $x million enough profit? Whenever one increases quantity one reduces quality....not just BA scenario but maintenance of craft by overseas operations, also out to make a profit and take short cuts in so doing, not have the same standard of hiring staff with as good qualifications and care that home based personnel offer. One carrier exec said even if they lost 2 planes they would only lose 5% of market share in the short term........sums it all up so BA Qantas et al don't give a hoot and corporations in the last 20 years have been free to plunder regardless of community impact with the blessing of puppet democracies.

Last edited by Nicolaus Silver; 19th Sep 2018 at 15:15. Reason: clarify
Nicolaus Silver is offline  
Old 8th Jul 2019, 09:58
  #79 (permalink)  
 
Join Date: Dec 2015
Location: Cape Town, ZA
Age: 62
Posts: 424
Likes: 0
Received 0 Likes on 0 Posts
https://www.bbc.com/news/business-48905907
British Airways faces record 183m fine for data breach
I imagine that many people's first reaction to the 183m fine that the Information Commissioner plans to levy on British Airways will have mirrored mine - surely the decimal point must be in the wrong place?

After all the proposed penalty is roughly 367 times as high as the previous record fine, the 500,000 imposed on Facebook over the Cambridge Analytica scandal.

The difference, of course, is that the law has changed between the two incidents, with the arrival of a new law mirroring Europe's GDPR. This allows fines of up to 4% of annual turnover.

Now you might have expected the data regulator to be somewhat cautious at first in wielding this powerful new weapon but today's news will send a shiver down the spine of anyone responsible for cybersecurity at a major corporation.

The message is clear - if you don't treat your customers' data with the utmost care expect severe punishment when things go wrong.

British Airways certainly appears to be stunned. But then again it could have been worse: the full 4% of turnover would have meant a fine approaching 500m.
GordonR_Cape is offline  
Old 8th Jul 2019, 10:29
  #80 (permalink)  
 
Join Date: Feb 2000
Location: UK
Posts: 604
Received 4 Likes on 2 Posts
Their lack of passenger care is proven by their recent LOI for 737 Max. I certainly won't be flying on one, ever. A bit like I never flew on a DC10.
Doctor Cruces is offline  

Thread Tools
Search this Thread

Contact Us - Archive - Advertising - Cookie Policy - Privacy Statement - Terms of Service - Do Not Sell or Share My Personal Information

Copyright © 2023 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.