British Airways Breach

Uploaded on 2020-10-21 in TECHNOLOGY--Hackers, FREE TO VIEW, BUSINESS-Services-Transport & Travel

The fine being imposed British Airways following cyber-attack on its customer database has been reduced to £20 million from a previous figure of £183 million, which takes into account BA’s response and the financial impact of the  Coronavirus pandemic. Investigation by the UK’s Information Commissioner’s Office found that the airline was processing a “significant amount” of personal data “without adequate security measures in place”.

BA was the subject of a cyber-attack during 2018, which it did not detect for more than two months.

Over the course of 22 June to 5 September 2018 a criminal gained access to an internal British Airways application through the use of “compromised credentials” for a remote-access gateway, says the Office’s formal penalty notice.It adds that British Airways alerted it to the breach on 6 September and, while it “does not admit liability” for the breach of European data-protection regulations, the airline has “co-operated fully” with the investigation.

The inquiry has nevertheless found that the carrier “failed to process the personal data of its customers in a manner that ensured appropriate security of the data”.

The breach began when the cyber-attacker obtained access to log-in credentials for an employee of cargo-handler Swissport. British Airways believes the attacker was able to “launch tools and scripts that the remote-access gateway would ordinarily have blocked” and bring in tools from outside the environment, which were then used to “conduct network reconnaissance”. This reconnaissance enabled the attacker to access the log-in and password of a privileged domain administrator account. “Access to such domain administrator credentials therefore gave the attacker virtually unrestricted access to the relevant compromised domain,” the Office states. 

The attacker gained database system administrator credentials and, on 25 June 2018, successfully logged into three servers, subsequently locating files containing payment card details.

These files were actually a test feature and not intended to be part of British Airways’ live system, the Office found, but they had been left active. This meant the system had been unnecessarily logging payment card details since December 2015, although each was only retained for 95 days. This left 108,000 payment cards exposed.

The attacker went further in mid-August 2018, setting up a redirect to a different website, branded ‘BAways’, which copied the payment card data of customers booking with the airline online. 

This remained active for about two weeks before a third party informed the carrier of the redirect, whereupon the airline contained the vulnerability within 90min.British Airways has since made “considerable improvements” to its IT security, the Office states.

British Airways states that it is “pleased” that the Office recognises its security enhancement efforts, as well as its co-operation with the probe.

Because the BA breach happened in June 2018, before the UK left the EU, the ICO investigated on behalf of all EU authorities as lead supervisory authority under the GDPR. The penalty and action have been approved by the other EU DPAs through the GDPR’s cooperation process.

In June 2019 the ICO issued BA with a notice of a fine. As part of the regulatory process the ICO considered both representations from BA and the economic impact of COVID-19 on their business before setting a final penalty.

NCSC:        Guardian:       ICO:         BBC:         Flight Global:  

You Might Also Read:

Nine Million EasyJet Customers Hacked:

Air Travel Needs Stronger Cyberscurity

 

« IBM Restructures To Concentrate On The Cloud
Russian Spies Attacked Olympic Games With Malware »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Globalscape

Globalscape

Globalscape is a leader in secure data exchange solutions.

CyberESI

CyberESI

CyberESI is a Managed Security Service Provider providing 24x7 remote security monitoring and management of your mission-critical networks.

Invensis Learning

Invensis Learning

Invensis Learning is a professional training and certification company providing IT Service Management, IT Security & Governance, DevOps, Cloud Computing and Digital Awareness training.

exceet Secure Solutions

exceet Secure Solutions

exceet Secure Solutions is your experienced specialist for Internet of Things (IoT), Heath Telematics, electronic signatures and timestamps and IT security.

Repulsa

Repulsa

Repulsa provides state-of-the-art, patented, fast filtering with over 700 million malicious IP addresses and over 30 million categorized site listings updated daily.

Logic Supply

Logic Supply

Logic Supply is a global industrial PC company focused on hardware for the IoT edge. We design highly-configurable computers engineered for reliability.

CYBAVO

CYBAVO

CYBAVO is a cryptocurrency security company founded by experts from the cryptocurrency and security industries.

Crypto Valley Association

Crypto Valley Association

Crypto Valley Association is an independent, government-supported association established to build the world’s leading blockchain and cryptographic technologies ecosystem.

Blockchain Firm

Blockchain Firm

Blockchain Firm is a leading Blockchain based software solutions and service provider with our roots of expertise running deep into the technology.

Macquarie Telecom Group

Macquarie Telecom Group

Macquarie Telecom is Australia's datacentre, cloud, cyber security and telecom company for mid-large business and government customers.

CyberPion

CyberPion

Cyberpion’s groundbreaking platform enables security teams to identify and neutralize threats stemming from vulnerabilities within online assets throughout an enterprise’s ecosystem.

Center for Information Technology Policy (CITP) - Princeton University

Center for Information Technology Policy (CITP) - Princeton University

The Center for Information Technology Policy at Princeton University is a nexus of expertise in technology, engineering, public policy, and the social sciences.

Smoothstack

Smoothstack

Smoothstack is a technology talent incubator whose immersive training program kick starts IT careers and delivers a fresh source of IT talent.

Alkira

Alkira

Alkira has reinvented networking for the cloud era by delivering the network cloud, the first global unified network infrastructure with on-demand hybrid and multi-cloud connectivity.

Anonos

Anonos

Anonos is a global software company that provides the only technology capable of protecting data in use with 100% accuracy, even in untrusted environments.

DNSFilter

DNSFilter

DNSFilter is the most accurate threat detection and content filtering tool on the market today.