back to article 'World's favorite airline' favorite among hackers: British Airways site, app hacked for two weeks

British Airways on Thursday said it is investigating the theft of customer data from its website and mobile app servers. The biz, which bills itself as the world's favorite airline, said its systems had been compromised for more than two weeks. "From 22:58 BST August 21 2018 until 21:45 BST September 5 2018 inclusive, the …

Page:

  1. Kevin Fairhurst

    "We are deeply sorry for the disruption that this criminal activity has caused."

    It's criminal that they allowed a breach of this scale to 1) happen, 2) continue happening for two weeks!

    1. Anonymous Coward
      Anonymous Coward

      I wonder if VISA and Mastercard will fine them...could have fund a redundant hardware system for them.

      Not sure I'd want to be that PCI:DSS external auditor.

      It would also be interesting to see what system changes had taken place since the last QSA auditor's visit and certification.

      1. AliveAndKicking

        PCI is a joke

        Anyone can tell the auditor pretty much anything they want, they fail to spot even the most basic of issues.

        PCI audit is a gravy train. People need 2 days training to become an auditor, regardless of industry experience or domain knowledge.

        1. oxfordmale78

          Re: PCI is a joke

          The PCI audit tends to be focused on documentation, not on reality. As long as the documentation is in order, it doesn't matter if credit card details are stored unencrypted on a publicly accessible server.

          1. Anonymous Coward
            Anonymous Coward

            Re: PCI is a joke

            My old firm was doing this sort of statutory audit more than 20 years ago elsewhere in the EU, and it included checking that what the documentation said was actually being carried out.

            It sounds as though the old saying about UK auditors "auditing around the accounts" has been transferred over to IT.

      2. julian_n

        More's the point will the ICO now find some teeth under GDPR.

        With a turnover of approx €23bn, 4% is somewhat over €900M. That would kill any off-shoring savings for a year or two!

      3. Anonymous Coward
        Anonymous Coward

        Me again, Mr AC, latest news is they FAILED their Dec 2017 PCI:DSS audit.

        Perhaps ElReg can find out why through an AC with knowledge...

    2. macjules
      Black Helicopters

      Ever so slightly annoyed. I received a notice from John Lewis last week that someone had tried to use my card to buy "tyres", so cancelled it and had it replaced. Now I just got a notice from BA that the replacement card I used to buy a flight might be 'compromised", so that has just been cancelled as well.

      I feel like going back to paying in cash for everything.

      1. seven of five

        > I feel like going back to paying in cash for everything.

        Noooo! Only criminals insist on cash, don´t you remember?

        edit: upon rereading, this makes me look like one of the tinfoil brigade. Which I thought I ain´t. Maybe sarcasm is officially dead, choked on its own vomit.

        Oh, well.

      2. Neil Spellings

        Get a Revelut account..they offer one-time-use disposable credit card numbers.

        1. Warm Braw

          Revolut

          On the other hand, they don't (currenty) have a banking licence or FSCS protection.

          Useful article on protection and customer services issues with e-money firms here.

      3. Nano nano

        Back of the drawer ...

        Or send a cheque ...

      4. Anonymous Coward
        Anonymous Coward

        Now I just got a notice from BA that the replacement card I used to buy a flight might be 'compromised", so that has just been cancelled as well...I feel like going back to paying in cash for everything.

        Well, at least make sure that you boycott the business that you entrusted with your data, and write to the CEO pointing out that whatever "we take your data security seriously" statement they've made is an abject lie, that their organisation is incompetent, and highlighting examples of how their ineptitude is going to cost them money.

        I'd also recommend that you copy in somebody like the senior non-exec director, or the CEO of any parent company, because that dramatically enhances the chance that the CEO will have to read it, whereas most CEO complaints are read only by the PA who then writes a polite but insincere apology in the CEO's name. So if you want to do that, you'd write the complaint to Alex Cruz, and copy in Willie Walsh, CEO of IAG. Walsh's PA probably won't pass the complaint to him, that doesn't matter - Cruz has to cope with not just a Mr Angry letter, but he has to accept that there are measureable costs for each record lost. If nothing else, it occupies somebody's time and that costs them money.

        1. Gordon 10
          Thumb Up

          Good Advice

          Great advice - one caveat

          I wouldn't necessarily choose Willie - he's just the CEO's Boss. (i.e. another busy CEO)

          BA Board members can be found here.

          https://www.bloomberg.com/research/stocks/private/board.asp?privcapId=256565

          IAG Board Members here

          http://www.iagshares.com/phoenix.zhtml?c=240949&p=irol-govboard2

      5. Bruce Ordway

        back to paying in cash for everything

        >> back to paying in cash for everything

        And if vendors can easily offer pricing without credit card fees baked into them?

        My local gas station maintains a "cash only" pump which was cheaper but... the owner once explained to me it was complicated by credit card companies. According to him, prices are inflated due to credit card companies and there are restrictions to offering "discounts" for cash/alternate methods of pay... at least here in the US.

  2. Neil Spellings

    First large scale test of GDPR legislation perhaps?

    1. robidy

      Didn't that go to TSB?

      1. Doctor Syntax Silver badge

        "Didn't that go to TSB?"

        Good question. Their initial problem happened well before GDPR became effective. Were there any intrusions after that date? Simply providing an inadequate service without a leakage of customer PII isn't going to fail GDPR so were there any ongoing leakages subsequently?

    2. JimboSmith Silver badge

      First large scale test of GDPR legislation perhaps?

      I was thinking the very same thing and yes more than likely it will be. Could be a very big fine for BA or IAG. Someone just messaged me to say that they hope it was a script kiddie who hasn't been able to do anything with the data. I replied that I found that prospect more worrying i.e. the largest airline in the UK being able to be successfully attacked by a script kiddie.

      1. Neil Spellings

        Re: First large scale test of GDPR legislation perhaps?

        Of course I fully expect the end result to be no fine and GDPR shown to be a damp squid. IAG will argue it took "reasonable steps" to protect customers data blah blah and will walk away with a slapped wrist and offering free credit file monitoring for affected customers.

        1. Dr Who

          Re: First large scale test of GDPR legislation perhaps?

          Data protection and information security are two slightly different things.

          A good lawyer will show that BA only stored data it needed for the purposes of transacting its business with the customer and further that BA took reasonable steps to control access to and protect that data. The lawyer will show that this was a particularly skilled compromise of BA's information security measures, but not a breach of its obligations under GDPR.

          1. Anonymous Coward
            Anonymous Coward

            Re: First large scale test of GDPR legislation perhaps?

            That is not corrct.

            A data breach is a breach of GDPR, period. It is then down to the ICO to determine the size of fine taking many factors in to consideration.

            BA can be fined for this. The real question is whether the ICO has the guts. That remains to be seen.

        2. Anonymous Coward
          Anonymous Coward

          Re: First large scale test of GDPR legislation perhaps?

          GDPR shown to be a damp squid.

          Squib, not squid.

          All squid are damp, but only damp squibs are a failure, which is what the phrase means.

        3. Mr Dogshit
          Headmaster

          Re: a damp squid

          squib

          1. Anonymous Coward
            Anonymous Coward

            Re: a damp squid

            @Mr Dogshit

            Well done... now read the comment above yours.

          2. chronicdashedgehog

            Re: a damp squid

            Upvoted just for your username

  3. Anonymous Coward
    Anonymous Coward

    Sounds like a very bad hack.

    Zero mention of the word encrypted so clearly the information was stolen as it was inputted. This can only therefore be rogue code in BA's website, or a compromised third party hosted JavaScript library.

    Given the stolen information was only personal and payment information it sounds like a compromised third party script used during the booking process and nowhere else.

    Otherwise if you had access to add rogue code to the website, why would you stop at personal information and not travel or passport details.

    We've seen third-party hosted library attacks a few times recently, and it is one of the reasons I dislike relying on third-party hosted content.

    1. Anonymous Coward
      Anonymous Coward

      Third party commented source code is fine, providing you know how to read through it. Though I am assuming a quick read through is quicker than a full rewrite.

      Though things can still be hidden, you can use the source for examples and idea on how to do your own things.

      Using the code out right and not checking it? Asking for trouble.

      1. DaLo

        Not third party code, the AC is talking about third party hosted code which is prevelant across the board.

        There are many benefits to both the user and the site owner but it does provide another avenue(maybe multiple avenues) for potential attacks. If it is not using an Https connection to the third party then that is open to abuse.

    2. Gordon 10

      I tend to agree with you - 2 observations

      1. It was both the App and the Website - so presumably that narrows it down further.

      2. The detailed timing of the window suggest it was associated with either a BA or Thirdparty code release to me, or worse an explicit intrusion that they have already traced. Considering they only shut down the breach on Wed they have gathered a big chunk of forensics in the first 24hrs.

      1. Korev Silver badge

        1. It was both the App and the Website - so presumably that narrows it down further.

        The app tends to dump you onto a website to do a surprising number of things.

        I'm almost pleased that the BA attempts to make themselves into an expensive budget airline persuaded me to use a proper budget airline and avoid this!

    3. julian_n

      Sounds very similar to the One+ hack - I hope that BA are better than One+ at assisting affected customers.

    4. caffeine addict

      Bloke on Radio4 this morning sounded like he wanted to go into details of what happened but had been told not to.

      He said that the "very sophisticated" attack got card numbers and CVC codes but that encryption hadn't been broken. He also said that they hadn't spotted it, rather one of their trusted partner security firms (presumably one of those sites that verifies other sites are secure - in which case they suck) which suggests that maybe it was something hiding on a form page.

      I've not checked the app out. Is it anything more than a wrapper for some html pages? If it is, it sounds like someone actually got in to their system and listened in there, which is quite a lot worse.

      Interestingly, Radio4 said (and wasn't contradicted by blokey) that passports numbers had been taken too, but everything since has said otherwise.

      1. Anonymous Coward
        Anonymous Coward

        "Is it anything more than a wrapper for some html pages?"

        It is literally their web page wrapped in an app. It's absolute pants.

      2. uptoeleven

        "'App" isn't really an app...

        As a BA Exec Club member - I get to use their "app" all the time. It's basically a viewer for a bunch of html pages / forms - although (helpfully) not all cookies are shared with your browser so you have to log back in again, or just use their site. Nothing that can't be done more efficiently on the site itself, other than downloading boarding passes.

        As I won't be back in the UK for a couple of weeks I've now had to move all my funds out of the account to which the card was attached, and cancel the card for my business banking which means I'm now relying on backup, personal cards for business expenses and transferring between accounts.

  4. Anonymous Coward
    Anonymous Coward

    We take the protection of our customers’ data very seriously.

    as in "no, really, not kidding, seriously".

    1. Anonymous Coward
      Anonymous Coward

      Re: We take the protection of our customers’ data very seriously.

      Not as in a serious joke then?

    2. macjules

      Re: We take the protection of our customers’ data very seriously.

      Yes, It is OUR right to sell our customers' data on to dodgy third-party marketing agencies, not some criminal's right.

    3. Arkyn

      Re: We take the protection of our customers’ data very seriously.

      Always the same old line, I wish they would say something original or at least apologise and not prefix it with this obvious falsehood.

      1. Kabukiwookie

        Re: We take the protection of our customers’ data very seriously.

        We take the protection of our customers’ data very seriously.

        They just leave out the bit ', but not enough to spend any serious money on it, since damage control if something happens is still cheaper for us than actually making sure your data is secure'.

        These things will not change until C-level management is made directly responsible if things like this go wrong.

        Data breach? CTO goes to jail.

        Problem will fix itself within the next 6 months.

        1. el-keef

          Re: We take the protection of our customers’ data very seriously.

          "Data breach? CTO goes to jail."

          No-one in their right mind would take a CTO job if this was the case. So you'd end up with even more clueless idiots in charge, or companies would end up without a CTO at all. Either way I can only see this making things worse.

          Massive fines seems like a more effective way to solve this. But we've yet to see if this will actually happen under GDPR or if the bigger companies will wiggle their way out through loopholes.

          1. Anonymous Coward
            Anonymous Coward

            Re: We take the protection of our customers’ data very seriously.

            Too right!

            A C[I|T]O earns 50% more than the numpty developers, with 1000% of the responsibility and experience required. If you think a C[I|T]O in an organization the size of BA can reasonably be expected to inspect and personally assure what's being delivered by a 1000+ IT workforce then you have clearly never worked anywhere near that level.

            Now, if the *developer* was to go to jail for errant and grossly negligent practices (i.e. using off-the-shelf code and libraries, externally hosted or not, with zero understanding or care of the potential implications), then perhaps these f**k-ups wouldn't happen at all. As it stands we have an IT market flooded with polyglot morons who think plugging frameworks and libraries together like lego bricks is actually worthy of £600/day, before they run off to their next contract and leave the steaming pile of non-performant and insecure crap behind them.

            1. Kabukiwookie

              Re: We take the protection of our customers’ data very seriously.

              Now, if the *developer* was to go to jail for errant and grossly negligent practices (i.e. using off-the-shelf code and libraries, externally hosted or not, with zero understanding or care of the potential implications), then perhaps these f**k-ups wouldn't happen at all.

              Most of these f**k-ups only happen, because with every IT project, corners are being cut to meet arbitrary dead-lines (often linked with bonuses for management for finishing early/under budget).

              As it stands we have a market flooded by f**k-ups who think they're able to manage a project, who are paid well over £600/day, but are too moronic to listen to the highly paid experts when they tell them not to cut any corners. Only a poor crafts-man blames his tools.

              1. Anonymous Coward
                Anonymous Coward

                Re: We take the protection of our customers’ data very seriously.

                I will now forever associate BA with Bloody Agile.

          2. Kabukiwookie

            Re: We take the protection of our customers’ data very seriously.

            No-one in their right mind would take a CTO job if this was the case.

            You mean, nobody who doesn't know anything about security, how to enforce it and check that subordinates are indeed implementing said security would take the job.

            And that's exactly the purpose.

            Someone who cannot ensure that subordinates are doing what they're supposed to be doing should not be in any position of power. C-level management requires a person to have leadership skills, not being best golf-buddies with members of the board.

            1. el-keef

              Re: We take the protection of our customers’ data very seriously.

              Anyone with that level of security knowledge would know that's it's essentially impossible to guarantee absolute security. While there's definitely a lot most companies could and should do, there's always going to be some zero-day exploit that could bite you. Spectre and Meltdown have shown we can't even trust the basic hardware underpinning everything.

              Why would anyone take the risk that a new form of exploit out of your control could send you to jail? You'd have to be mad.

              If you somehow think imposing this level of penalty would magically make everyone write every line of code from scratch, including the OS, and CPU microcode, to ensure every single byte has been thoroughly inspected, then you misunderstand how business works.

              1. Kabukiwookie

                Re: We take the protection of our customers’ data very seriously.

                If you somehow think imposing this level of penalty would magically make everyone write every line of code from scratch, including the OS, and CPU microcode, to ensure every single byte has been thoroughly inspected, then you misunderstand how business works.

                Of course it would would not magically happen, it would require real work. Things 'magically happen' because someone else will take care of it is the current way of thinking, where C-level management is absolved from any wrong-doing, because they're 'not able' to control what everyone else in the company is doing.

                The key term here is 'due diligence'. Right now a lot of top management has no interest in ensuring they do a good job, since they are able to hide behind the excuse that they can't control what's happening on the lower rungs in the company.

                misunderstand how business works.

                I understand very well how businesses (and their internal politics) currently work and I also understand quite well what it would take to make them work well. You however don't seem to understand human nature.

                Without an incentive to actually get off their ass, nothing will happen. Since larger and larger carrots don't seem to work, maybe it's time to apply the stick.

                1. el-keef

                  Re: We take the protection of our customers’ data very seriously.

                  "Without an incentive to actually get off their ass, nothing will happen. Since larger and larger carrots don't seem to work, maybe it's time to apply the stick."

                  I agree with this statement, I just disagree that a stick which involves CTOs going to jail will be effective.

                  I actually think the GDPR, if it's actually implemented with vigour, provides a good stick - fining a company some large percentage of their global takings is a pretty decent incentive. But we'll see if companies wriggle out somehow.

                  1. Kabukiwookie

                    Re: We take the protection of our customers’ data very seriously.

                    fining a company some large percentage of their global takings is a pretty decent incentive.

                    Fines will be borne by the company, which will translate it into their cost. This means that with the large oligopolies that we're currently having, the customer eventually pays for the f**k-ups of poor management.

                    I am not saying CTOs should immediately go to jail without any investigation, but if their Security Officer has been warning the CTO time and time again that things need to be improved and the CTO doesn't act, the CTO did not perform his/her 'due diligence'. This should be at the very least a fire-able offence without pay / golden parachute.

                    The issue I have with this is that even if this happens (it does not), that incompetent previous C-level manager will happily start working somewhere else at the same level, due to his golf-buddies and f**k things up there.

                    Jail time seems to be the only way to actually get the message across. It doesn't even have to be years (I am actually against long incarceration), but even a few months being deprived of their freedom will quickly change not only their perception of the seriousness of the job, it will also change the perception of the next board looking to hire C-level managers.

                    I have no problem with competent managers being compensated properly. I have a problem with bumbling fools being elevated above their capabilities, f**king up things for all employees in the company, then move on to the next one using their golden parachute.

                    1. Gordon 10

                      Re: We take the protection of our customers’ data very seriously.

                      @wookie. I agree with the seniment of your post. BA aren't anywhere near an oligopoly though...

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like