Turbulent times as British Airways is hacked

A recent British Airways investigation has taken flight and the Police have been notified following the theft of over 300,000 customers’ personal and financial information.

The hackers experienced the holiday of a lifetime as 380,000 payment details were stolen over a period of two weeks. The dates between August 21st and September 5th have been identified as the main times of vulnerability. Those using card details on the British Airways website and app have been advised to consult their banks.

It seems as though the airline industry has been particularly susceptible to data breaches in recent years. During the month of July, Thomas Cook announced that names, flight details and emails had been accessed with at least 100 bookings in jeopardy because of the attack. Similarly, Air Canada’s data breach affected 20,000 customers; whilst Delta Airlines also experienced breaches in both September and October of 2017.

Rob Burgess, Editor of website headforpoints, said: “data breaches are part and parcel of the world we now live in, and criminal activity is getting ever more sophisticated. Unfortunately, this is likely to be another PR disaster for British Airways, especially as it includes tickets bought in their September sale which is being widely promoted at the moment.

“Following on from the IT meltdown last year, it seems that the decision to outsource the majority of BA’s IT to India is yet again coming back to haunt them. The airline has actually been working hard and succeeding of late, to reverse many of the recent cuts to in-flight service in an attempt to improve its public image. Sadly, this data breach is likely to knock back its efforts.”

Many have predicted that, due to the specificity of British Airway’s understanding of when the attack took place, the chain-supply attack happened live. As customers were typing their details, malicious code on the website or app may have been gleaning and stealing details, sending them to a third-party fraudster.

Websites that embed code from third-party suppliers, have found this to be an increasing problem.

Prof Alan Woodward, security expert at the University of Surrey, said: “They very carefully worded the statement to say anybody who made a card payment between those two dates is at risk.”

“It looks very much like the details were nabbed at the point of entry – someone managed to get a script on to the website.”

“This means it was either a direct compromise of their booking site, or compromise of a third-party provider.

“You can put the strongest lock you like on the front door, but if the builders have left a ladder up to a window, where do you think the burglars will go?”

This is just one sector and the ramifications and vulnerabilities span further than direct flights from London to Australia. The online threat is ever-present.

Legal service firms are even more liable and prone to attacking attempts. When law firms hold such sensitive personal and financial information, it is imperative that they are prepared for the cyber fraud threat in the future.

Does this suggest that the airline industry has a fundamental cyber security problem? What would the impact of a similar breach to the legal sector be? Is your firm prepared to deal with cyber security threats?