British Airways Breach

Uploaded on 2020-10-21 in TECHNOLOGY--Hackers, FREE TO VIEW, BUSINESS-Services-Transport & Travel

The fine being imposed British Airways following cyber-attack on its customer database has been reduced to £20 million from a previous figure of £183 million, which takes into account BA’s response and the financial impact of the  Coronavirus pandemic. Investigation by the UK’s Information Commissioner’s Office found that the airline was processing a “significant amount” of personal data “without adequate security measures in place”.

BA was the subject of a cyber-attack during 2018, which it did not detect for more than two months.

Over the course of 22 June to 5 September 2018 a criminal gained access to an internal British Airways application through the use of “compromised credentials” for a remote-access gateway, says the Office’s formal penalty notice.It adds that British Airways alerted it to the breach on 6 September and, while it “does not admit liability” for the breach of European data-protection regulations, the airline has “co-operated fully” with the investigation.

The inquiry has nevertheless found that the carrier “failed to process the personal data of its customers in a manner that ensured appropriate security of the data”.

The breach began when the cyber-attacker obtained access to log-in credentials for an employee of cargo-handler Swissport. British Airways believes the attacker was able to “launch tools and scripts that the remote-access gateway would ordinarily have blocked” and bring in tools from outside the environment, which were then used to “conduct network reconnaissance”. This reconnaissance enabled the attacker to access the log-in and password of a privileged domain administrator account. “Access to such domain administrator credentials therefore gave the attacker virtually unrestricted access to the relevant compromised domain,” the Office states. 

The attacker gained database system administrator credentials and, on 25 June 2018, successfully logged into three servers, subsequently locating files containing payment card details.

These files were actually a test feature and not intended to be part of British Airways’ live system, the Office found, but they had been left active. This meant the system had been unnecessarily logging payment card details since December 2015, although each was only retained for 95 days. This left 108,000 payment cards exposed.

The attacker went further in mid-August 2018, setting up a redirect to a different website, branded ‘BAways’, which copied the payment card data of customers booking with the airline online. 

This remained active for about two weeks before a third party informed the carrier of the redirect, whereupon the airline contained the vulnerability within 90min.British Airways has since made “considerable improvements” to its IT security, the Office states.

British Airways states that it is “pleased” that the Office recognises its security enhancement efforts, as well as its co-operation with the probe.

Because the BA breach happened in June 2018, before the UK left the EU, the ICO investigated on behalf of all EU authorities as lead supervisory authority under the GDPR. The penalty and action have been approved by the other EU DPAs through the GDPR’s cooperation process.

In June 2019 the ICO issued BA with a notice of a fine. As part of the regulatory process the ICO considered both representations from BA and the economic impact of COVID-19 on their business before setting a final penalty.

NCSC:        Guardian:       ICO:         BBC:         Flight Global:  

You Might Also Read:

Nine Million EasyJet Customers Hacked:

Air Travel Needs Stronger Cyberscurity

 

« IBM Restructures To Concentrate On The Cloud
Russian Spies Attacked Olympic Games With Malware »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

aizoOn Technology Consulting

aizoOn Technology Consulting

aizoOn is a technology consulting company offering a range of services including IoT & embedded security, mobile security, cybersecurity assessments, risk & compliance, network monitoring and more.

Cyber 360

Cyber 360

Cyber 360 is a Cybersecurity contract and fulltime placement firm dedicated to identifying and hiring Cybersecurity professionals.

4N6

4N6

4N6 is a privately-owned firm founded with the goal of providing expert knowledge of computer forensics.

Beame.io

Beame.io

Beame.io is an information security company that distributes open source authentication infrastructure based on encryption.

Digital Ship

Digital Ship

Digital Ship provides news, information, conferences and events focused on digital ship systems, information technology and security relating to maritime operations.

Proteus

Proteus

Proteus is an Information Security consulting firm specialized in Risk Analysis and Executive Control.

ATIA

ATIA

ATIA provides consulting services in the design and implementation of IT system, Information Security, ISO certification, and professional IT training and education.

Caulis

Caulis

Caulis FraudAlert is a cyber security solution. It can detect fraud and identity theft based on users’ online behaviour.

Risk Ledger

Risk Ledger

Risk Ledger is improving the security of the global supply chain ecosystem, reducing the number of data breaches experienced through supply chain attacks by companies and consumers alike.

Trustify

Trustify

Trustify is a Managed Security Service Provider offering a suite of world-class Cyber Risk Management services.

1Kosmos

1Kosmos

1Kosmos provide Digital Identity and Passwordless Authentication for workforce and customers. Powered by advanced biometrics and blockchain technology.

Netox

Netox

Netox is a comprehensive IT service provider that combines IT support services, IT solutions and specialist services; specializing in cybersecurity solutions.

Infosys

Infosys

Infosys is a global leader in consulting, technology and outsourcing solutions.. Services include IT strategy, technical architecture and operations including cybersecurity.

Paragon Cyber Solutions

Paragon Cyber Solutions

Paragon Cyber Solutions provides specialized security risk management and IT solutions to protect the integrity of your business operations.

Theos Cyber Solutions

Theos Cyber Solutions

Theos Cyber provides service-first cybersecurity solutions to digital businesses in Asia.

TeamT5

TeamT5

TeamT5 Inc. is a leading cybersecurity company dedicated to cyber threat research and solutions.