British Airways announced Thursday that it had suffered a hacking incident that compromised personal and financial details of customers who made bookings at the airline's website and official app.
The hack of British Airways' website and app compromised personal and financial information of customers who made bookings and changes between August 21 and September 5. Even though payment card details of hundreds of thousands have been compromised, the airline said in a statement that no passport or travel details were stolen.
Payment card details of 380,000 stolen
"We are investigating, as a matter of urgency, the theft of customer data from our website and our mobile app. The stolen data did not include travel or passport details.
"We are deeply sorry for the disruption that this criminal activity has caused. We take the protection of our customers’ data very seriously.
"The breach has been resolved and our website is working normally. We have notified the police and relevant authorities," it said.
According to The Guardian, personal and financial details of around 380,000 customers were stolen by hackers. British Airways is now contacting all affected customers and is advising them to get in tough with their respective banks or credit card providers and follow their recommended advice.
"Every customer affected will be fully reimbursed and we will pay for a credit checking service. We take the protection of our customers’ data seriously, and are very sorry for the concern that this criminal activity has caused. We will continue to keep our customers updated with the very latest information. We will be contacting customers and will manage any claims on an individual basis," it said, adding that customers are being advised to reset their ba.com passwords on its official website.
Commenting on the latest hacking incident that compromised payment card details of hundreds of thousands of customers and which will come under the purview of GDPR, Israel Barak, Chief Information Security Officer at Cybereason, said that the British Airways breach once again sheds light on the difficulty companies have protecting the proprietary information of their customers that is their backbone.
"Collectively, this is a blow to our privacy and British Airways joins a growing list of organisations that have faced a knock down punch. For the consumer, they should be working under the assumption that their personal information has been compromised many times over. As an industry until we can start making cyber crime unprofitable for adversaries they will continue to hold the cards that will yield potentially massive payouts," he said.
Bill Evans, senior director at One Identity, said that while its far too early to tell how this latest breach occurred, usually these types of cybercrimes are the result of poorly managed privileged accounts which are the accounts that have access to most, if not all, IT systems. Protecting these accounts is perhaps the single most important security step any organization can take followed closely by multi-factor authentication and access governance.
Did the British Airways hack involve shadow IT devices?
Ilia Kolochenko, CEO of web security company, High-Tech Bridge, also said that since the incident has just come to light, too early to make any definitive conclusions prior to a holistic technical investigation of the breach and its origins. However, he believes the presence of shadow IT devices, over which large organisations do not have much visibility, could have contributed to the breach.
"Shadow IT and legacy applications are a plague of today. Large organizations have so many intertwined websites, web services and mobile apps that they often forget about considerable part of them. On the other side, cybercriminals are very proactive, and as soon as a new vulnerability is discovered in a popular CMS they start exploiting it in the wild. Obviously, abandoned systems remain unpatched for years and serve a perfect prey to the attackers.
"Web applications are the Achilles' heel of modern companies and organizations. Lawmakers make their lives even more complicated, as for example with GDPR, many organizations had to temporarily give up their practical cybersecurity and concentrate all their efforts on paper-based compliance. New cybersecurity regulations may do more harm than benefit for the society if improperly imposed or implemented," he said.
This isn't the first time that British Airways has suffered a cyber security incident. Three years ago, users of some British Airways Executive Club and Registered Customer accounts were locked out after hackers tried to gain access to their accounts using information obtained elsewhere.
“We would like to reassure you that, although it does appear that the login attempt was successful on a small percentage of accounts, at this stage we are not aware of any access to any subsequent information pages within accounts, including flight histories or payment card details," the airline said following the incident.
Last year, a human error led to a massive IT glitch in British Airways' IT systems, affecting over 75,000 travellers in the process. The IT glitch was caused by a systems engineer who mistakenly switched off the power supply to the airline's IT systems. According to Willie Walsh, chief executive of IAG, the engineer 'was authorised to be in the data centre, but was not authorised to do what he did.'
"This resulted in the total immediate loss of power to the facility, bypassing the backup generators and batteries... After a few minutes of this shutdown, it was turned back on in an unplanned and uncontrolled fashion, which created physical damage to the systems and significantly exacerbated the problem," the airline said in an email.