British Airways data breach

In summer 2018, a data breach affected almost 400,000 customers of British Airways, of which almost 250,000 had their names, addresses, credit card numbers and CVV cards stolen. The attack gained access to British Airways systems via the account of a compromised third party and escalated their account privileges after finding an unsecured administrator password. The attacker stole data that British Airways was improperly recording and also redirected users of British Airways website to a bogus site that was designed to steal more data.

In October 2020 the ICO fined British Airways £20 million for breaches of GDPR related to the breach. A legal claim by customers who had been affected by the breach was settled out of court in 2021.

Attack

On June 22nd 2018, an attacker gained access to British Airways Network by means of compromised credentials from an employee of Swissport, a third party cargo handler.^[1] The compromised account did not have Multi-factor authentication enabled.^[1]

The attacker was initially restricted to a citrix environment, but successfully broke out of the environment by unknown means.^[1] After breaking out of the environment, the attacker was able to escalate their privilege after finding an administrator password stored in plaintext on the server.^[1]

On 26 July 2018, the attacker found plain text files, containing payment card details for BA redemption transactions. The ICO's report highlighted this as follows:

The logging and storing of these card details (including, in most cases, CVV numbers) was not an intended design feature of BA's systems and was not required for any particular business purpose.
It was a testing feature that was only intended to operate when the systems were not live, but which was left activated when the systems went live. BA has explained that this card data was being stored in plaintext (as opposed to in encrypted form) as a result of human error. This error meant that the system had been unnecessarily logging payment card details since December 2015.
The impact of this failure was mitigated to some extent by the fact that the retention period of the logs was 95 days, which meant that
the only accessible card details were those logged within the preceding 95 days. Nevertheless, the details of approximately 108,000 payment cards were potentially available to the Attacker.^[1]

Customer Data Collection

BA's website used a JavaScript Library called Modernizer. BA had not updated their version of the library since 2012 and the version they were using had a known bug that allowed the attacker to redirect customer information to a fake domain, baways.com, that they had registered.^[2] The payment process appeared completely normal.

Discovery

On 5th of September a third party informed BA of the malicious code acting on their website. Within 90 minutes it was removed. On the 6th of September BA informed the ICO, and 500,000 affected customers.^[1]

On the 7th of September British Airways said the attack affected bookings from 21 August 2018 to 5 September 2018 with credit card details of around 380,000 total customers being compromised.^[3] The attackers obtained names, street addresses, email addresses, credit card numbers, expiration dates and card security codes – enough to allow thieves to steal from accounts.^[3] 77,000 customers had their name, address, email address and detailed payment information taken, while 108,000 people had personal details compromised which did not include CVV numbers.^[4]

British Airways urged customers to contact their banks or credit card issuer and to follow their advice.^[3] NatWest said that it received more calls than usual because of the breach.^[3] American Express said that customers would not need to take any action and that they would alert customers with unusual activity on their cards.^[3]

Legal consequences

In 2019 the ICO announced it intended to issue a fine for 1.5% of the airline's 2017 turnover, amounting to £183.39 million.^[5]

After negotiations with the ICO British Airways was fined £20 million by the Information Commissioner's Office in October 2020.^[5] the financial strain of the COVID-19 pandemic was cited as one reason for the reduced fine.

In 2021 the law firm Podgust and Goodhead announced that they were representing a group of BA customers who had been affected by the breach in "the largest group-action personal-data claim in UK history"^[6]. The class was settled out of court^[7].

References

^ ^a ^b ^c ^d ^e ^f ICO. "ICO - action we've taken - BA" (PDF).
^ Stokel-Walker, Chris. "A simple fix could have saved British Airways from its £183m fine". Wired. ISSN 1059-1028. Retrieved 2024-11-26.
^ ^a ^b ^c ^d ^e Sandle, Paul (6 September 2018). "BA apologizes after 380,000 customers hit in cyber attack". Reuters.
^ "BA investigation into website hack reveals more victims". BBC News. 2018-10-25. Retrieved 2022-11-04.
^ ^a ^b Tidy, Joe (16 October 2020). "British Airways fined £20m over data breach". BBC News. Retrieved 16 October 2020.
^ Rodgers, Jason (2021-01-15). "British Airways Data Breach Claim Becomes Biggest Of Its Kind In The UK". Pogust Goodhead. Retrieved 2024-11-26.
^ "British Airways data-breach compensation claim settled". BBC News. 2021-07-06. Retrieved 2024-11-26.

[:0-1] ^ ^a ^b ^c ^d ^e ^f ICO. "ICO - action we've taken - BA" (PDF).

[2] Stokel-Walker, Chris. "A simple fix could have saved British Airways from its £183m fine". Wired. ISSN 1059-1028. Retrieved 2024-11-26.

[Sandle2018-3] Sandle, Paul (6 September 2018). "BA apologizes after 380,000 customers hit in cyber attack". Reuters.

[4] "BA investigation into website hack reveals more victims". BBC News. 2018-10-25. Retrieved 2022-11-04.

[:1-5] Tidy, Joe (16 October 2020). "British Airways fined £20m over data breach". BBC News. Retrieved 16 October 2020.

[6] Rodgers, Jason (2021-01-15). "British Airways Data Breach Claim Becomes Biggest Of Its Kind In The UK". Pogust Goodhead. Retrieved 2024-11-26.

[7] "British Airways data-breach compensation claim settled". BBC News. 2021-07-06. Retrieved 2024-11-26.

[1]

[2]

[3]

[4]

[5]

[6]

[7]