[BreachExchange] British Airways hacked with 380, 000 sets of payment details stolen
Destry Winant
destry at riskbasedsecurity.com
Thu Sep 6 23:34:21 EDT 2018
https://www.telegraph.co.uk/business/2018/09/06/british-airways-hacked-380000-sets-payment-details-stolen/
British Airways has launched an “urgent” investigation and notified
police after hundreds of thousands of customers’ personal and
financial details were stolen.
The airline said the hack continued for almost two weeks, between
August 21 and September 5, with 380,000 payments compromised.
Stolen information did not include travel or passport details.
Customers who made bookings through ba.com or the airline’s app are
being urged to contact banks and credit card providers.
Alex Cruz, British Airways' chairman and chief executive said: "We are
deeply sorry for the disruption that this criminal activity has
caused. We take the protection of our customers' data very seriously."
Customers raised concerns that the airline had not contacted them
directly to tell them about the hack.
Daniel Willis, 34, from Milton Keynes who booked a flight on Monday
with the airline, said: "I saw the tweet, that was the first I knew of
it. This is my first involvement with BA since they left me stranded
with my wife and 2-year-old daughter for a few days in Düsseldorf in
December - again with no communication.
"I’ve not heard anything from them on this and I’ve just had to cancel
the card I used. They’re a shambles."
Stephanie Jowers, who works in tech and is from New York, said she
contacted the airline just hours before the hack was announced on
Twitter with concerns about charges on her account, but was not
informed that it could have been compromised.
"I contacted BA customer service by phone three hours prior to Twitter
announcement. I was unclear about the ‘fee’ charged referencing my
booking reference number. They put me on hold for a bit. Then the rep
told me I would be 'refunded within 24 hours'. I asked repeatedly for
an explanation. None was given. No case ID provided either or further
contact information for follow-up issues," she told the Daily
Telegraph.
She had booked flights during the window of time the airline said
their systems had been affected, and the charge had appeared on the
booking a week after she paid for the flights. When she contacted her
bank following BA's announcement the bank advised her to cancel her
card immediately.
Under GDPR rules, companies must inform regulators within 72 hours of
becoming aware of a data breach.
"If the breach is likely to result in a high risk of adversely
affecting individuals’ rights and freedoms, you must also inform those
individuals without undue delay," according to guidelines from the
Information Commissioner’s Office (ICO), the independent regulator
that upholds information rights in Britain.
The ICO said it had been alerted to the British Airways hack. A
spokesman said it would be “making inquiries”, but declined to comment
further given the airline’s investigations were “at a very early
stage”,
The data breach is the latest in a string to hit the airline sector.
Last week Air Canada confirmed a data breach affecting 20,000
customers. In July, Thomas Cook admitted names, emails and flight
details had been accessed, although the travel and airline company
insisted fewer than 100 bookings had been compromised.
In May, US airline Delta admitted to two breaches during September and
October last year.
Rob Burgess, editor of UK frequent flyer website www.headforpoints.com said:
"Data breaches are part and parcel of the world we now live in, and
criminal activity is getting ever more sophisticated. Unfortunately,
this is likely to be another PR disaster for British Airways,
especially as it includes tickets bought in their September sale which
is being widely promoted at the moment.
"Following on from the IT meltdown last year, it seems that the
decision to outsource the majority of BA's IT to India is yet again
coming back to haunt them. The airline has actually been working hard
and succeeding of late, to reverse many of the recent cuts to
in-flight service in an attempt to improve its public image. Sadly,
this data breach is likely to knock back its efforts."
More information about the BreachExchange
mailing list