Except facing a bill of this size would leave the outsourcing company bankrupt and then BA would still have to pay

Possibly we approach the point where your details as an air traveller who actually purchases stuff is worth more than the fare paid?

I would be utterly appalled if they weren't - unless they've bullied their acquirer into submission on the basis of their scale and throughput (aka the richness of the pickings for the acquirer). They should at any rate have a shedload of PCI-DSS auditors all over them at the minute. I'm not sure that outsourcing IT transfers the responsibility, either.

Is there any news on any individuals who have had money stolen from their credit cards.

Posted this on the AAR thread...

I travel all the time like many on here and will happily moan about using Ryanair - but most of the time they will get me there on time, no issues. I've used them 30-40 times in the last 18 months and they are rarely late, if a bit uncomfortable.

I have used BA twice in the last year - first time a return to TLV; there was a total baggage system failure. And now my second trip to NCL, this happens. It’s not really good enough is it?

I didn't lose any money (I've seen some pictures on social media of affected transactions). I did however block my card before going travelling again as banks don’t send cards to hotels or other locations which aren’t your home. In the mean time I still have to pay for flights and hotels on my personal rather than business card. Frustrating.

As for Cruz, I'm not really sure how he still has a job - he seems to be made of teflon over the last couple of years. Aside from strong financial performance, the airline has regressed into a lower division when it comes to product.

I really don't want to defend BA, but...

...I don't think that one can be blamed on them. I'd imagine all airlines were affected. Equally...

...every company is hackable. BA's loss isn't even particularly big. Heartland Payment Systems lost 130 million cards, TKMaxx lost 94m and Sears lost 90m. The best security techniques will eventually be better by those that value the data hidden away. With the information revealed so far, I've a good idea what might have happened, and many companies would be at risk of a similar attack.

American Express will, on some accounts. In fairness, your do pay handsomely for the services they offer, but they can be good value.

Gone are the days when you could go into a BA shop and pay cash or write a cheque for you flight!

I work in IT and unfortunately the cost cutting is rampant. Everything is being moved overseas (not that I am saying they are any less capable) but the testing time lines have been trimmed to almost non existent. There was a time when we used to say the testing of our code should be 10 times the actual writing time. Unfortunately, testing is one of the items that has been stripped to the core. Automated testing can NOT match personal testing (rant over). TVDH

I have visited a few offshore IT establishments and their security has to be seen to be believed. My car was inspected including the underside where the security chap used a pole with a mirror to check for goodness knows what. I doubt he would have recognised anything out of the ordinary. My team were then met by another security bloke who was 5 foot one and weighed about 50 kilos. He sported a baseball cap with a swastika and the work "Security". The symbol is a Hindu good luck charm but my colleagues and I had a little bit of trouble keeping a straight face. We were searched and the camera on our mobiles was spotted. This was resolved (I kid you not) by placing a piece of sticking plaster over the lens and we were then allowed to take our phones on site. The camera lenses on our laptops were ignored.

The following day, we held our phones in our hands above our heads while being searched and walked in minus the sticking plasters.

B Fraser, I know the feeling. Worked in India rolling out software. Was not allowed to take a pen in to the call centre in case I wrote down a credit card number!! Despite the fact that I had FULL admin privileges to the entire companies databases :-) ...... not that the databases held credit card details (but you get my drift). The most worrying thing about this "breach" is that CVV details should NEVER be held!

I also noticed that all of the laptops / desktops used by the staff had USB ports.

:ugh:

There's no evidence that they were stored.

DaveReidUK

NOT stored - sorry my mistake - but stolen at source, nasty code, a key stroke logger. It seems a third party plugin had this malicious code.

Do you want them to buy special ones without them? Much simpler just to buy standard hardware and lock down the ports.

Far better to have the IT wallah remove the USB port cards. Ports can be re-enabled in software.

On a laptop ? You're kidding, of course.

If your users have admin access to policies on your PCs, then the presence or absence of USB ports is the least of your problems. :O

What I'd love to know is as this appears to be an "internal" 3rd party hack, who the hell is going to investigate it?

I work in networking in the US. You do NOT want me to start telling stories about security breaches. I'll share one. Last Nov I was asked to go onsite at the federal IRS office in a large US southern state. I went to some of the storage systems where they keep taxpayer records. I typed in the default root password for the machine and on 7 of 11 of the systems - I was into their storage subsystem as root login. I told the on-site wunderkind who had to be all of 19 years old. He said they had already 'hardened them'. I said it needs to be harder than hard. They also have offsite management networks that breaches the comms firewall with no VPN. Oye.....

https://www.bbc.co.uk/news/technology-45481976
"A cyber-security firm has said it found a malicious script injected into the British Airways website, which could be the cause of a recent data breach that affected 380,000 transactions.
A RiskIQ researcher analysed code from BA's website and app around the time when the breach began, in late August.
He claimed to have discovered evidence of a "skimming" script designed to steal financial data from online payment forms.
BA said it was unable to comment.