British Airways hit hard
British Airways hit hIn this age, credit cards are required for many aspects of our culture. To rent a car, hotel room, or purchase airline tickets, a credit or debit card is required. To purchase these services without a credit card is problematic. One airline providing the travel service is British Airways, a major international airline. Unfortunately, the airline system was breached. This affected 380,000 credit card payments. These were used on the British Airways website and mobile app in August 2018. British Airways did contact the affected parties on September 7, 2018. Considering the large number of affected parties, a number of questions of attack methodology arise. The attackers must have had a clear and in-depth penetration into their system.
Attack
With this attack and compromise, investigators were able to note when, including the time, the attack occurred. During August 21, 2018 (10:58p) through September 5, 2018 (9:45p), the company’s website and mobile app were successfully attacked and breached. Curiously, BA stated this was a data theft, versus calling this a breach. This may indicate this was an internal threat versus originating from a third party.
Data
The attackers could have targeted a variety of data based on the attack and potential points to pivot from. The attackers were able to access valuable data with the customer’s name, address, email addresses, credit card expiration dates, and other credit card details, including the CVV code. Fortunately for the affected parties, the attackers were not able to exfiltrate the customer’s passport data.
Vulnerability
Throughout several industries, web applications tend to be a valid, robust attack point. This is due to security not being included through the process, new vulnerabilities, and insecure coding, among other issues. BA did remediate the vulnerability.
With these issues, it would be beneficial to know exactly what the vulnerability exploited was, or if there were multiple, what these were. In this case, others could learn from the oversights so that these errors would not be done repeatedly by others in the same and other industries. Unfortunately in this case, BA had refused to answer any further questions relating to the breach.
Through the issue, BA worked with cybersecurity firms through the forensic review period. The attack period itself is notable. The attackers had over two weeks of full access. Perhaps the SIEM did not detect the compromise in a timely manner, or the logs and reports were not examined at length. This was too long for the compromise, which increased the number of their clients affected by this.
Lessons
The information security teams should have detected this individually or through their tools in place on the systems. The data should have been reviewed prior to the time this was. This is a lesson for others, not only in the airline industry. The logs should be regularly reviewed for anomalies and other unusual activities. Resources
Buchanan, B. (2018, September 7). British airways hacking? How not to respond to a cyber attack. Retrieved from https://theconversation.com/british-airways-hacking-how-not-to-respond-to-a-cyber-attack-102857
Calder, S. (2018, September 7). BA data breach: What does the british airways hack mean for customers? Retrieved from https://www.independent.co.uk/travel/news-and-advice/british-airways-flights-ba-hacked-data-theft-customers-a8526516.html
Cuthbertson, A. (2018, September 8). British airways hacked: Scale of customers ‘astounding’, security experts say. Retrieved from https:www.independent.co.uk/life-style/gadgets-and-tech/news/british-airways-hacked-customer-data-breach-astounding-ba-security-experts-98527071.html
Davies, R. (2018, September 7). Hacked data-including CVV codes-worth about 20m on dark web, cybersecurity experts say. Retrieved from https://www.theguardian.com/business/2018/sep/07/ba-british-airways-customers-hacked-credit-card-details-dark-web
Detrixhe, J. (2018, September 7). British airways massive data breach has given tech upstarts a chance to promote themselves. Retrieved from https://qz.com/1382301/british-airways-data-breach-monzos-quick-response/
Duckett, C. (2018, September 7). British airways hit with customer data theft. Retrieved from https://www.zdnet.com/article/british-airways-hit-with-customer-data-theft/
Dungay, D. (2018, October 9). British airways announces cyber security breach. Retrieved from https://commsbusiness.co.uk/news/british-airways-announces-cyber-security-breach/
E Hacking News. (2018, September 8). British airways security breach: Credit card details of 380,000 customers stolen. Retrieved from http://www.ehackingnews.com/2018/09/british-airways-security-breach-credit.html
Gulliver. (2018, September 9). British airways admits that over 380,000 customers had their data stolen. Retrieved from https://www.economist.com/gulliver/2018/09/09/british-airways-admits-that-over-380000-customers-had-their-data-stolen
Khandelwal, S. (2018, September 6). British airways hacked-380,000 payment cards compromised. Retrieved from https://thehackernews.com/2018/09/british-airways-data-breach.html
Leyden, J. (2018, September 7). Revealed: British airways was in talks with ibm on outsourcing security just before hack. Retrieved from https://www.theregister.co.uk/2018/09/07/ba_security_outsourcing_consultation_memo/
O’Donnell, L. (2018, September 7). British airways website, mobile app breach comprises 380k. Retrieved from https://threatpost.com/british-airways-website-mobile-app-breach-compromise-380k/137291/
PYMNTS. (2018, September 10). British airways data hack a test case for GDPR. Retrieved from https://www.pymnts.com/news/regulation/2018/british-airways-data-breach-gdpr-compliance-data-security/
Telegraph Reporters. (2018, September 7). British airways hacking: Customers cancel credit cards as airline defends handling of ‘sophisticated’ cyber attacks. Retrieved from https://www.telegraph.co.uk/news/2018/09/07/british-airways-hacking-customers-cancel-credit-cards-airline/
V3 Newsdesk. (2018, September 7). British airways security breach compromises 380,000 credit cards. Retrieved from https://www.V3.co.uk/v3-uk/news/3062330/british-airways-security-breach-compromises-380-000-credit-cards
Whitaker, Z. (2018, September 6). British airways customer data stolen in data breach. Retrieved from https://techcrunch.com/2018/09/06/british-airways-customer-data-stolen-in-data-breach/
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.