barry lloyd

As luck would have it, I had booked a ticket with BA at just the wrong moment. Result? The bank has cancelled my card (but didn't bother to tell me), and is re-issuing. From BA? An apologetic email or even a snail mail letter (since I am a BA loyalty card holder)? Nothing, other than the 'very sorry' blanket apology.

As has been pointed out earlier, BA is merely an arm of IAG these days, and it shows. In the same way as many of our railway companies are now foreign-owned and offering a less than satisfactory service, but nevertheless raking in lots of Sterling.

TURIN

Bang goes the staff bonus. Even though its not their fault...again.

PAXboy

BBC web news

Blackfriar

BA used to be described as a pension scheme that ran an airline. These days to run any modern, efficient company you need to be an IT company that runs an airline. The flying bit is old hat and much the same as when I was a despatcher and ops planner in the early 90s. The clever bit is selling the seats and handling the complexity of bookings, check-in, and third party sales (hotels, car-hire, fast-track security etc.) as efficiently and effectively as possible. Which takes a great in-house IT team that have loads of experience in an airline, not a mars bar factory. Outsourcing the IT is like outsourcing the aircraft, crews and customer service - but maybe that's what BA wants to do, while sitting on a valuable pile of slots. Maybe they should just close the whole lot down and lease the slots whith a couple of people collecting the money and passing it on to the pension fund and government taxes. When I worked there we joked that if we sold all the assets and invested the money the business would be far more profitable.
On the technical side of this breach it looks like BA is in breach of the Payment Card Industry rules (PCI DSS) by having multiple externally linked scripts running on the payment page where none are allowed. The hackers just injected another script that skimmed off the details (so I read from IT sources). This must make them liable for a huge Information Commissioner's Office fine under GDPR.

PAXboy

In the mid-90s, I was working for a very large high street retailer known throughout the UK. With (then) over 900 shops of various brands, they relied utterly on their IT (of which I was a contractor). Whilst I was there, I saw them downgrade the importance of the whole department. As the demands on us grew, so they ignored what we were telling them.

One week, the data network of the head office collapsed under the strain. Once fixed (three days later) they came hunting. My team and I showed them the weekly reports we had been sending them warning of the overload. They ignored the warnings until the network collapsed under the weight of traffic we had been warning about.

They all take IT for granted - even when it is 100% critical to their operation, as Blackfriar puts it.

DaveReidUK

It may be a naive question, but if the offending script has been identified and examined, would it not contain pointers to the culprits' server that it had been sending the captured credit card details to ?

kristofera

It does: all data was sent to a cloud hosting site/VPS in Lithuania. Neither BA or British law enforcement bothered to contact the hosting company, instead it was brought to their attention by a member of the public several days after BA issued their alert.
https://www.scmagazineuk.com/amp/upd...rticle/1492560

b1lanc

Those pointers can easily be forged. The shear amount of forensic investigation that is involved in determining the source (which can often never be definitively determined) is beyond the scope of one single country or all 'cybersecurity' firms in collaboration. The hosting company may simply have been the first stop in data delivery to unknown parties in unknown countries. Examining the script is also likely non-conclusive. Professionals put inferences in malware to deliberately deceive and obfuscate the originator.

kristofera

Yes, but IMHO, the first thing they should have done was to secure that VPS and check if it contains any leads to where it was accessed from or where it was forwarding the data to.

Waiting for several days and leaving it up and online doesn't sound like there was much of an investigation in the first place.

b1lanc

I don't disagree. But, what they should have done is reported to law enforcement before they took any action. So which LEA would whomever discovered the breech have contacted given the outsource? Laws vary wildly between sovereign nations on this matter. And it takes years to analyze. The only thing in the general poplulace favor now is that there is such a glut of credit/bank card data on the black market, that the price is so low and the odds of your account being taken advantage of is now in your favor. Sad.

kristofera

From the attacker's perspective, the outcome of the BA hack is a total failure. Most of the cards they were able to get details on have or will be cancelled and reissued. If BA had not gone public with it (some companies prefer to try to cover up this kind of incidents), or if the attackers had removed the malicious script earlier then the stole card details would remain valid for a longer period of time.

msbbarratt

There's reports surfacing that the malware concerned was injected into a third party's customer feedback code library that BA were using (carelessly) on their website. When your browser downloaded BA's page, that in turn would go fetch the code from the third party. The mistake BA made was to do that on payment pages too. Someone has hacked the third party, so BA were unwittingly bringing in the hacked code from there whilst also asking you for credit card details, etc. The hacked third party code, as part of the web page BA composed, is free to access any data being typed on the page by customers. Bingo!

BA's failure was to make their web security only as good as that of all the third parties they fetched code from. Ooops.

It's the equivalent of booking a ticket by phone, and the vendor letting someone eavesdrop on the conversation whilst you read out your card number without taking too much care to check who that someone actually was, is, or could be.

It now looks like it's popping up all over the Internet, so BA may well not be the last we hear of this.

DaveReidUK

Though I'd suggest that the value of a stolen credit card number is considerably increased if, as in this case, it's accompanied by a known CVV.

kristofera

That was the case for Delta, Sears, Ticketmaster and many others. That has been the most common delivery mechanism for this type of scripts lately.

However, in BA's case, the malicious script was actually hosted on their own site, not on a 3rd party site.

That said, I think we will continue to see many more similar hacks, and since many airlines include script from 10-20 different third party hosts in their payment pages, I think we can expect more data leaks facilitated by 3rd party trackers/chatbots/etc.

PAXboy

Does anyone know the process for claiming? A good friend of mine made a booking in the 'window' and had a questionable transaction now being investigated and the relevant card closed. If it turns out to be related, we should like to know the right place to claim. Thanks.

rog747

If he had to dispute an unknown transaction on his card he contacts his bank or card provider - Which he has done.

They will cancel his card, they should negate the charge, and he will have to wait for a new card to be sent - Which is being done.
Any other cards he may have had stored on the BA payments page should also be cancelled.

He needs to be now mindful of further phishing attempts - Best to change email and bank online passwords,

If he is out of pocket for any expenses because of this data breach then also contact BA. https://www.britishairways.com/en-gb...st-information

It seems there are now lawyers and websites out there now offering affected clients to make a compensation claim.
I assume on a no win no fee basis. Such as this one:
https://www.badatabreach.com/?gclid=...xoC-qIQAvD_BwE
Be careful of those - I would let the dust settle to see if BA makes, or is instructed to make an offer to all affected pax...

This is of interest
http://www.theweek.co.uk/96327/briti...ou-re-affected

dastocks

I have/had two cards stored on BA website. I used one of them during the period that security was compromised.

I contacted the issuers, and the card that I had *not* used was blocked and is being re-issued. However, the issuer for the card that I *did* use advised me:
1. there is currently no suspicious activity on the account (I can see this for myself via online banking)
2. their fraud prevention folk are on the case: it's Lloyds, and they do seem to be on the ball
3. there is currently no need to block the card.

I assume that if card issuers find they are losing money because of this incident they will simply send the bill to BA.

Nicolaus Silver

Isn't $x million enough profit? Whenever one increases quantity one reduces quality....not just BA scenario but maintenance of craft by overseas operations, also out to make a profit and take short cuts in so doing, not have the same standard of hiring staff with as good qualifications and care that home based personnel offer. One carrier exec said even if they lost 2 planes they would only lose 5% of market share in the short term........sums it all up so BA Qantas et al don't give a hoot and corporations in the last 20 years have been free to plunder regardless of community impact with the blessing of puppet democracies.

GordonR_Cape

https://www.bbc.com/news/business-48905907

Doctor Cruces

Their lack of passenger care is proven by their recent LOI for 737 Max. I certainly won't be flying on one, ever. A bit like I never flew on a DC10.