British Airways Breach

Uploaded on 2020-10-21 in TECHNOLOGY--Hackers, FREE TO VIEW, BUSINESS-Services-Transport & Travel

The fine being imposed British Airways following cyber-attack on its customer database has been reduced to £20 million from a previous figure of £183 million, which takes into account BA’s response and the financial impact of the  Coronavirus pandemic. Investigation by the UK’s Information Commissioner’s Office found that the airline was processing a “significant amount” of personal data “without adequate security measures in place”.

BA was the subject of a cyber-attack during 2018, which it did not detect for more than two months.

Over the course of 22 June to 5 September 2018 a criminal gained access to an internal British Airways application through the use of “compromised credentials” for a remote-access gateway, says the Office’s formal penalty notice.It adds that British Airways alerted it to the breach on 6 September and, while it “does not admit liability” for the breach of European data-protection regulations, the airline has “co-operated fully” with the investigation.

The inquiry has nevertheless found that the carrier “failed to process the personal data of its customers in a manner that ensured appropriate security of the data”.

The breach began when the cyber-attacker obtained access to log-in credentials for an employee of cargo-handler Swissport. British Airways believes the attacker was able to “launch tools and scripts that the remote-access gateway would ordinarily have blocked” and bring in tools from outside the environment, which were then used to “conduct network reconnaissance”. This reconnaissance enabled the attacker to access the log-in and password of a privileged domain administrator account. “Access to such domain administrator credentials therefore gave the attacker virtually unrestricted access to the relevant compromised domain,” the Office states. 

The attacker gained database system administrator credentials and, on 25 June 2018, successfully logged into three servers, subsequently locating files containing payment card details.

These files were actually a test feature and not intended to be part of British Airways’ live system, the Office found, but they had been left active. This meant the system had been unnecessarily logging payment card details since December 2015, although each was only retained for 95 days. This left 108,000 payment cards exposed.

The attacker went further in mid-August 2018, setting up a redirect to a different website, branded ‘BAways’, which copied the payment card data of customers booking with the airline online. 

This remained active for about two weeks before a third party informed the carrier of the redirect, whereupon the airline contained the vulnerability within 90min.British Airways has since made “considerable improvements” to its IT security, the Office states.

British Airways states that it is “pleased” that the Office recognises its security enhancement efforts, as well as its co-operation with the probe.

Because the BA breach happened in June 2018, before the UK left the EU, the ICO investigated on behalf of all EU authorities as lead supervisory authority under the GDPR. The penalty and action have been approved by the other EU DPAs through the GDPR’s cooperation process.

In June 2019 the ICO issued BA with a notice of a fine. As part of the regulatory process the ICO considered both representations from BA and the economic impact of COVID-19 on their business before setting a final penalty.

NCSC:        Guardian:       ICO:         BBC:         Flight Global:  

You Might Also Read:

Nine Million EasyJet Customers Hacked:

Air Travel Needs Stronger Cyberscurity

 

« IBM Restructures To Concentrate On The Cloud
Russian Spies Attacked Olympic Games With Malware »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Kent Interdisciplinary Research Centre in Cyber Security (KirCCS) - University of Kent

Kent Interdisciplinary Research Centre in Cyber Security (KirCCS) - University of Kent

KirCCS harnesses expertise across Kent University to address current and potential cyber security challenges.

Cato Networks

Cato Networks

Cato connects your branch locations, physical and cloud datacenters, and mobile users into a secure and optimized global network in the cloud.

ObserveIT

ObserveIT

ObserveIT helps companies identify & eliminate insider threats. Visually monitor & quickly investigate with our easy-deploy user activity monitoring solution.

FixMeStick

FixMeStick

FixMeStick is a virus removal device, a USB key that removes malware conventional antivirus software often can’t detect.

Flexential

Flexential

Flexential helps organizations optimize their journey of IT transformation while simultaneously balancing cost, scalability, compliance and security.

Sage Designs

Sage Designs

Sage Designs is a provider of SCADA, Security & Industrial Automation products and training programs.

Infortec

Infortec

Infortec provide consultancy and solutions for the protection of digital information and the management of computer resources.

Commonwealth Cybercrime Initiative (CCI)

Commonwealth Cybercrime Initiative (CCI)

The CCI unites 35 international organisations contributing to multidisciplinary programmes in Commonwealth countries. These organisations form the CCI Consortium.

SpyCloud

SpyCloud

SpyCloud is a leader in account takeover (ATO) prevention, protecting billions of consumer and employee accounts either directly or through product integrations.

CyberSaint Security

CyberSaint Security

CyberSaint’s CyberStrong Platform empowers organizations to implement automated, intelligent cybersecurity compliance and risk management.

World Informatix Cyber Security (WICS)

World Informatix Cyber Security (WICS)

World Informatix Cyber Security provides a range of cyber security services to protect valuable information assets to global business and governments.

Everbridge

Everbridge

Everbridge provides enterprise software applications that automate and accelerate organizations’ operational response to critical events in order to keep people safe and businesses running.

Smoothstack

Smoothstack

Smoothstack is a technology talent incubator whose immersive training program kick starts IT careers and delivers a fresh source of IT talent.

Redington

Redington

Redington offer products and services in solution areas including digital transformation, hybrid infrastructure and cybersecurity.

Gutsy

Gutsy

Gutsy uses process mining to help organizations visualize and analyze their complex security processes to understand how they actually run, based on observable event data.

DNS Research Federation (DNSRF)

DNS Research Federation (DNSRF)

DNSRF's mission is to advance the understanding of the Domain Name System's impact on cybersecurity, policy and technical standards.