27 September, 2018
Case Study: British Airways Data Breach
380,000 TRANSACTIONS AFFECTED BY A SOPHISTICATED CYBER ATTACK
British Airways reported that hackers carried out a “sophisticated, malicious criminal attack” on their website and mobile app.
The airline said personal and financial details of their customers making or changing bookings had been compromised. The attackers gained access to the payment data of 380,000 customers between 21st August 2018 and 5th September 2018.
The data breach may have gone on far longer than first thought as security researchers suggest the perpetrators may have gained access to customer data at least a week before the attack is thought to have happened.
Cyber security firm RiskIQ has found out that the hackers only changed 22 lines of codes to get a hold of the data. The codified code sent the information to the hackers’ servers as soon as someone press ‘Submit’ on the payment forms. The script was able to capture customer names, email addresses, credit card information (card number, expiration date and the three-digit CVV code). The firm suggests the hack was made by the same group who were previously linked to the breach of Ticketmaster.
Once the fraudsters have your personal information, they may be able to access your bank account, open new accounts in your name, use your details for fraudulent purchases and can sell your details on.
When British Airways became aware of the breach they began to work on it straight away. Unaware of the extent of the attack, they had teams working overnight.
The company contacted all customers who may have been affected and reported the issue.
Under GDPR, fines can be up to 4% of annual global revenue. The potential maximum fine can be £489m.
A law firm called SPG Law is considering sueing BA for £500m and have set up a dedicated website for anyone who has been affected.
British Airways are paying compensation to any customers who have been financially affected by the attack.
One British Airways customer told the BBC:
“I have six cards linked to my BA account. I have no idea how much of my data information has been stolen. I will have to go to each of my credit card providers, cancel the cards, and all the direct debits, etc, related to those cards. This will take a long time, something I have to do with no help from BA.
This whole thing is terribly concerning and really annoying.”