Except facing a bill of this size would leave the outsourcing company bankrupt and then BA would still have to pay

Possibly we approach the point where your details as an air traveller who actually purchases stuff is worth more than the fare paid?

I would be utterly appalled if they weren't - unless they've bullied their acquirer into submission on the basis of their scale and throughput (aka the richness of the pickings for the acquirer). They should at any rate have a shedload of PCI-DSS auditors all over them at the minute. I'm not sure that outsourcing IT transfers the responsibility, either.

Is there any news on any individuals who have had money stolen from their credit cards.

Posted this on the AAR thread...

I travel all the time like many on here and will happily moan about using Ryanair - but most of the time they will get me there on time, no issues. I've used them 30-40 times in the last 18 months and they are rarely late, if a bit uncomfortable.

I have used BA twice in the last year - first time a return to TLV; there was a total baggage system failure. And now my second trip to NCL, this happens. It’s not really good enough is it?

I didn't lose any money (I've seen some pictures on social media of affected transactions). I did however block my card before going travelling again as banks don’t send cards to hotels or other locations which aren’t your home. In the mean time I still have to pay for flights and hotels on my personal rather than business card. Frustrating.

As for Cruz, I'm not really sure how he still has a job - he seems to be made of teflon over the last couple of years. Aside from strong financial performance, the airline has regressed into a lower division when it comes to product.

I really don't want to defend BA, but...

...I don't think that one can be blamed on them. I'd imagine all airlines were affected. Equally...

...every company is hackable. BA's loss isn't even particularly big. Heartland Payment Systems lost 130 million cards, TKMaxx lost 94m and Sears lost 90m. The best security techniques will eventually be better by those that value the data hidden away. With the information revealed so far, I've a good idea what might have happened, and many companies would be at risk of a similar attack.

American Express will, on some accounts. In fairness, your do pay handsomely for the services they offer, but they can be good value.

Gone are the days when you could go into a BA shop and pay cash or write a cheque for you flight!

I work in IT and unfortunately the cost cutting is rampant. Everything is being moved overseas (not that I am saying they are any less capable) but the testing time lines have been trimmed to almost non existent. There was a time when we used to say the testing of our code should be 10 times the actual writing time. Unfortunately, testing is one of the items that has been stripped to the core. Automated testing can NOT match personal testing (rant over). TVDH

I have visited a few offshore IT establishments and their security has to be seen to be believed. My car was inspected including the underside where the security chap used a pole with a mirror to check for goodness knows what. I doubt he would have recognised anything out of the ordinary. My team were then met by another security bloke who was 5 foot one and weighed about 50 kilos. He sported a baseball cap with a swastika and the work "Security". The symbol is a Hindu good luck charm but my colleagues and I had a little bit of trouble keeping a straight face. We were searched and the camera on our mobiles was spotted. This was resolved (I kid you not) by placing a piece of sticking plaster over the lens and we were then allowed to take our phones on site. The camera lenses on our laptops were ignored.

The following day, we held our phones in our hands above our heads while being searched and walked in minus the sticking plasters.

B Fraser, I know the feeling. Worked in India rolling out software. Was not allowed to take a pen in to the call centre in case I wrote down a credit card number!! Despite the fact that I had FULL admin privileges to the entire companies databases :-) ...... not that the databases held credit card details (but you get my drift). The most worrying thing about this "breach" is that CVV details should NEVER be held!

I also noticed that all of the laptops / desktops used by the staff had USB ports.

:ugh:

There's no evidence that they were stored.

DaveReidUK

NOT stored - sorry my mistake - but stolen at source, nasty code, a key stroke logger. It seems a third party plugin had this malicious code.

Do you want them to buy special ones without them? Much simpler just to buy standard hardware and lock down the ports.

Far better to have the IT wallah remove the USB port cards. Ports can be re-enabled in software.

On a laptop ? You're kidding, of course.

If your users have admin access to policies on your PCs, then the presence or absence of USB ports is the least of your problems. :O

What I'd love to know is as this appears to be an "internal" 3rd party hack, who the hell is going to investigate it?

I work in networking in the US. You do NOT want me to start telling stories about security breaches. I'll share one. Last Nov I was asked to go onsite at the federal IRS office in a large US southern state. I went to some of the storage systems where they keep taxpayer records. I typed in the default root password for the machine and on 7 of 11 of the systems - I was into their storage subsystem as root login. I told the on-site wunderkind who had to be all of 19 years old. He said they had already 'hardened them'. I said it needs to be harder than hard. They also have offsite management networks that breaches the comms firewall with no VPN. Oye.....

https://www.bbc.co.uk/news/technology-45481976
"A cyber-security firm has said it found a malicious script injected into the British Airways website, which could be the cause of a recent data breach that affected 380,000 transactions.
A RiskIQ researcher analysed code from BA's website and app around the time when the breach began, in late August.
He claimed to have discovered evidence of a "skimming" script designed to steal financial data from online payment forms.
BA said it was unable to comment.

As luck would have it, I had booked a ticket with BA at just the wrong moment. Result? The bank has cancelled my card (but didn't bother to tell me), and is re-issuing. From BA? An apologetic email or even a snail mail letter (since I am a BA loyalty card holder)? Nothing, other than the 'very sorry' blanket apology.

As has been pointed out earlier, BA is merely an arm of IAG these days, and it shows. In the same way as many of our railway companies are now foreign-owned and offering a less than satisfactory service, but nevertheless raking in lots of Sterling.

Bang goes the staff bonus. Even though its not their fault...again.

BBC web news

BA used to be described as a pension scheme that ran an airline. These days to run any modern, efficient company you need to be an IT company that runs an airline. The flying bit is old hat and much the same as when I was a despatcher and ops planner in the early 90s. The clever bit is selling the seats and handling the complexity of bookings, check-in, and third party sales (hotels, car-hire, fast-track security etc.) as efficiently and effectively as possible. Which takes a great in-house IT team that have loads of experience in an airline, not a mars bar factory. Outsourcing the IT is like outsourcing the aircraft, crews and customer service - but maybe that's what BA wants to do, while sitting on a valuable pile of slots. Maybe they should just close the whole lot down and lease the slots whith a couple of people collecting the money and passing it on to the pension fund and government taxes. When I worked there we joked that if we sold all the assets and invested the money the business would be far more profitable.
On the technical side of this breach it looks like BA is in breach of the Payment Card Industry rules (PCI DSS) by having multiple externally linked scripts running on the payment page where none are allowed. The hackers just injected another script that skimmed off the details (so I read from IT sources). This must make them liable for a huge Information Commissioner's Office fine under GDPR.

In the mid-90s, I was working for a very large high street retailer known throughout the UK. With (then) over 900 shops of various brands, they relied utterly on their IT (of which I was a contractor). Whilst I was there, I saw them downgrade the importance of the whole department. As the demands on us grew, so they ignored what we were telling them.

One week, the data network of the head office collapsed under the strain. Once fixed (three days later) they came hunting. My team and I showed them the weekly reports we had been sending them warning of the overload. They ignored the warnings until the network collapsed under the weight of traffic we had been warning about.

They all take IT for granted - even when it is 100% critical to their operation, as Blackfriar puts it.

It may be a naive question, but if the offending script has been identified and examined, would it not contain pointers to the culprits' server that it had been sending the captured credit card details to ?

It does: all data was sent to a cloud hosting site/VPS in Lithuania. Neither BA or British law enforcement bothered to contact the hosting company, instead it was brought to their attention by a member of the public several days after BA issued their alert.
https://www.scmagazineuk.com/amp/upd...rticle/1492560

Those pointers can easily be forged. The shear amount of forensic investigation that is involved in determining the source (which can often never be definitively determined) is beyond the scope of one single country or all 'cybersecurity' firms in collaboration. The hosting company may simply have been the first stop in data delivery to unknown parties in unknown countries. Examining the script is also likely non-conclusive. Professionals put inferences in malware to deliberately deceive and obfuscate the originator.

Yes, but IMHO, the first thing they should have done was to secure that VPS and check if it contains any leads to where it was accessed from or where it was forwarding the data to.

Waiting for several days and leaving it up and online doesn't sound like there was much of an investigation in the first place.

I don't disagree. But, what they should have done is reported to law enforcement before they took any action. So which LEA would whomever discovered the breech have contacted given the outsource? Laws vary wildly between sovereign nations on this matter. And it takes years to analyze. The only thing in the general poplulace favor now is that there is such a glut of credit/bank card data on the black market, that the price is so low and the odds of your account being taken advantage of is now in your favor. Sad.

From the attacker's perspective, the outcome of the BA hack is a total failure. Most of the cards they were able to get details on have or will be cancelled and reissued. If BA had not gone public with it (some companies prefer to try to cover up this kind of incidents), or if the attackers had removed the malicious script earlier then the stole card details would remain valid for a longer period of time.

There's reports surfacing that the malware concerned was injected into a third party's customer feedback code library that BA were using (carelessly) on their website. When your browser downloaded BA's page, that in turn would go fetch the code from the third party. The mistake BA made was to do that on payment pages too. Someone has hacked the third party, so BA were unwittingly bringing in the hacked code from there whilst also asking you for credit card details, etc. The hacked third party code, as part of the web page BA composed, is free to access any data being typed on the page by customers. Bingo!

BA's failure was to make their web security only as good as that of all the third parties they fetched code from. Ooops.

It's the equivalent of booking a ticket by phone, and the vendor letting someone eavesdrop on the conversation whilst you read out your card number without taking too much care to check who that someone actually was, is, or could be.

It now looks like it's popping up all over the Internet, so BA may well not be the last we hear of this.

Though I'd suggest that the value of a stolen credit card number is considerably increased if, as in this case, it's accompanied by a known CVV.

That was the case for Delta, Sears, Ticketmaster and many others. That has been the most common delivery mechanism for this type of scripts lately.

However, in BA's case, the malicious script was actually hosted on their own site, not on a 3rd party site.

That said, I think we will continue to see many more similar hacks, and since many airlines include script from 10-20 different third party hosts in their payment pages, I think we can expect more data leaks facilitated by 3rd party trackers/chatbots/etc.

Does anyone know the process for claiming? A good friend of mine made a booking in the 'window' and had a questionable transaction now being investigated and the relevant card closed. If it turns out to be related, we should like to know the right place to claim. Thanks.

If he had to dispute an unknown transaction on his card he contacts his bank or card provider - Which he has done.

They will cancel his card, they should negate the charge, and he will have to wait for a new card to be sent - Which is being done.
Any other cards he may have had stored on the BA payments page should also be cancelled.

He needs to be now mindful of further phishing attempts - Best to change email and bank online passwords,

If he is out of pocket for any expenses because of this data breach then also contact BA. https://www.britishairways.com/en-gb...st-information

It seems there are now lawyers and websites out there now offering affected clients to make a compensation claim.
I assume on a no win no fee basis. Such as this one:
https://www.badatabreach.com/?gclid=...xoC-qIQAvD_BwE
Be careful of those - I would let the dust settle to see if BA makes, or is instructed to make an offer to all affected pax...

This is of interest
http://www.theweek.co.uk/96327/briti...ou-re-affected

I have/had two cards stored on BA website. I used one of them during the period that security was compromised.

I contacted the issuers, and the card that I had *not* used was blocked and is being re-issued. However, the issuer for the card that I *did* use advised me:
1. there is currently no suspicious activity on the account (I can see this for myself via online banking)
2. their fraud prevention folk are on the case: it's Lloyds, and they do seem to be on the ball
3. there is currently no need to block the card.

I assume that if card issuers find they are losing money because of this incident they will simply send the bill to BA.

Outsource
 

Isn't $x million enough profit? Whenever one increases quantity one reduces quality....not just BA scenario but maintenance of craft by overseas operations, also out to make a profit and take short cuts in so doing, not have the same standard of hiring staff with as good qualifications and care that home based personnel offer. One carrier exec said even if they lost 2 planes they would only lose 5% of market share in the short term........sums it all up so BA Qantas et al don't give a hoot and corporations in the last 20 years have been free to plunder regardless of community impact with the blessing of puppet democracies.

https://www.bbc.com/news/business-48905907

Their lack of passenger care is proven by their recent LOI for 737 Max. I certainly won't be flying on one, ever. A bit like I never flew on a DC10.