"We are deeply sorry for the disruption that this criminal activity has caused."
It's criminal that they allowed a breach of this scale to 1) happen, 2) continue happening for two weeks!
British Airways on Thursday said it is investigating the theft of customer data from its website and mobile app servers. The biz, which bills itself as the world's favorite airline, said its systems had been compromised for more than two weeks. "From 22:58 BST August 21 2018 until 21:45 BST September 5 2018 inclusive, the …
My old firm was doing this sort of statutory audit more than 20 years ago elsewhere in the EU, and it included checking that what the documentation said was actually being carried out.
It sounds as though the old saying about UK auditors "auditing around the accounts" has been transferred over to IT.
Ever so slightly annoyed. I received a notice from John Lewis last week that someone had tried to use my card to buy "tyres", so cancelled it and had it replaced. Now I just got a notice from BA that the replacement card I used to buy a flight might be 'compromised", so that has just been cancelled as well.
I feel like going back to paying in cash for everything.
Now I just got a notice from BA that the replacement card I used to buy a flight might be 'compromised", so that has just been cancelled as well...I feel like going back to paying in cash for everything.
Well, at least make sure that you boycott the business that you entrusted with your data, and write to the CEO pointing out that whatever "we take your data security seriously" statement they've made is an abject lie, that their organisation is incompetent, and highlighting examples of how their ineptitude is going to cost them money.
I'd also recommend that you copy in somebody like the senior non-exec director, or the CEO of any parent company, because that dramatically enhances the chance that the CEO will have to read it, whereas most CEO complaints are read only by the PA who then writes a polite but insincere apology in the CEO's name. So if you want to do that, you'd write the complaint to Alex Cruz, and copy in Willie Walsh, CEO of IAG. Walsh's PA probably won't pass the complaint to him, that doesn't matter - Cruz has to cope with not just a Mr Angry letter, but he has to accept that there are measureable costs for each record lost. If nothing else, it occupies somebody's time and that costs them money.
Great advice - one caveat
I wouldn't necessarily choose Willie - he's just the CEO's Boss. (i.e. another busy CEO)
BA Board members can be found here.
https://www.bloomberg.com/research/stocks/private/board.asp?privcapId=256565
IAG Board Members here
http://www.iagshares.com/phoenix.zhtml?c=240949&p=irol-govboard2
>> back to paying in cash for everything
And if vendors can easily offer pricing without credit card fees baked into them?
My local gas station maintains a "cash only" pump which was cheaper but... the owner once explained to me it was complicated by credit card companies. According to him, prices are inflated due to credit card companies and there are restrictions to offering "discounts" for cash/alternate methods of pay... at least here in the US.
"Didn't that go to TSB?"
Good question. Their initial problem happened well before GDPR became effective. Were there any intrusions after that date? Simply providing an inadequate service without a leakage of customer PII isn't going to fail GDPR so were there any ongoing leakages subsequently?
I was thinking the very same thing and yes more than likely it will be. Could be a very big fine for BA or IAG. Someone just messaged me to say that they hope it was a script kiddie who hasn't been able to do anything with the data. I replied that I found that prospect more worrying i.e. the largest airline in the UK being able to be successfully attacked by a script kiddie.
Of course I fully expect the end result to be no fine and GDPR shown to be a damp squid. IAG will argue it took "reasonable steps" to protect customers data blah blah and will walk away with a slapped wrist and offering free credit file monitoring for affected customers.
Data protection and information security are two slightly different things.
A good lawyer will show that BA only stored data it needed for the purposes of transacting its business with the customer and further that BA took reasonable steps to control access to and protect that data. The lawyer will show that this was a particularly skilled compromise of BA's information security measures, but not a breach of its obligations under GDPR.
That is not corrct.
A data breach is a breach of GDPR, period. It is then down to the ICO to determine the size of fine taking many factors in to consideration.
BA can be fined for this. The real question is whether the ICO has the guts. That remains to be seen.
Sounds like a very bad hack.
Zero mention of the word encrypted so clearly the information was stolen as it was inputted. This can only therefore be rogue code in BA's website, or a compromised third party hosted JavaScript library.
Given the stolen information was only personal and payment information it sounds like a compromised third party script used during the booking process and nowhere else.
Otherwise if you had access to add rogue code to the website, why would you stop at personal information and not travel or passport details.
We've seen third-party hosted library attacks a few times recently, and it is one of the reasons I dislike relying on third-party hosted content.
Third party commented source code is fine, providing you know how to read through it. Though I am assuming a quick read through is quicker than a full rewrite.
Though things can still be hidden, you can use the source for examples and idea on how to do your own things.
Using the code out right and not checking it? Asking for trouble.
Not third party code, the AC is talking about third party hosted code which is prevelant across the board.
There are many benefits to both the user and the site owner but it does provide another avenue(maybe multiple avenues) for potential attacks. If it is not using an Https connection to the third party then that is open to abuse.
I tend to agree with you - 2 observations
1. It was both the App and the Website - so presumably that narrows it down further.
2. The detailed timing of the window suggest it was associated with either a BA or Thirdparty code release to me, or worse an explicit intrusion that they have already traced. Considering they only shut down the breach on Wed they have gathered a big chunk of forensics in the first 24hrs.
1. It was both the App and the Website - so presumably that narrows it down further.
The app tends to dump you onto a website to do a surprising number of things.
I'm almost pleased that the BA attempts to make themselves into an expensive budget airline persuaded me to use a proper budget airline and avoid this!
Bloke on Radio4 this morning sounded like he wanted to go into details of what happened but had been told not to.
He said that the "very sophisticated" attack got card numbers and CVC codes but that encryption hadn't been broken. He also said that they hadn't spotted it, rather one of their trusted partner security firms (presumably one of those sites that verifies other sites are secure - in which case they suck) which suggests that maybe it was something hiding on a form page.
I've not checked the app out. Is it anything more than a wrapper for some html pages? If it is, it sounds like someone actually got in to their system and listened in there, which is quite a lot worse.
Interestingly, Radio4 said (and wasn't contradicted by blokey) that passports numbers had been taken too, but everything since has said otherwise.
As a BA Exec Club member - I get to use their "app" all the time. It's basically a viewer for a bunch of html pages / forms - although (helpfully) not all cookies are shared with your browser so you have to log back in again, or just use their site. Nothing that can't be done more efficiently on the site itself, other than downloading boarding passes.
As I won't be back in the UK for a couple of weeks I've now had to move all my funds out of the account to which the card was attached, and cancel the card for my business banking which means I'm now relying on backup, personal cards for business expenses and transferring between accounts.
We take the protection of our customers’ data very seriously.
They just leave out the bit ', but not enough to spend any serious money on it, since damage control if something happens is still cheaper for us than actually making sure your data is secure'.
These things will not change until C-level management is made directly responsible if things like this go wrong.
Data breach? CTO goes to jail.
Problem will fix itself within the next 6 months.
"Data breach? CTO goes to jail."
No-one in their right mind would take a CTO job if this was the case. So you'd end up with even more clueless idiots in charge, or companies would end up without a CTO at all. Either way I can only see this making things worse.
Massive fines seems like a more effective way to solve this. But we've yet to see if this will actually happen under GDPR or if the bigger companies will wiggle their way out through loopholes.
Too right!
A C[I|T]O earns 50% more than the numpty developers, with 1000% of the responsibility and experience required. If you think a C[I|T]O in an organization the size of BA can reasonably be expected to inspect and personally assure what's being delivered by a 1000+ IT workforce then you have clearly never worked anywhere near that level.
Now, if the *developer* was to go to jail for errant and grossly negligent practices (i.e. using off-the-shelf code and libraries, externally hosted or not, with zero understanding or care of the potential implications), then perhaps these f**k-ups wouldn't happen at all. As it stands we have an IT market flooded with polyglot morons who think plugging frameworks and libraries together like lego bricks is actually worthy of £600/day, before they run off to their next contract and leave the steaming pile of non-performant and insecure crap behind them.
Now, if the *developer* was to go to jail for errant and grossly negligent practices (i.e. using off-the-shelf code and libraries, externally hosted or not, with zero understanding or care of the potential implications), then perhaps these f**k-ups wouldn't happen at all.
Most of these f**k-ups only happen, because with every IT project, corners are being cut to meet arbitrary dead-lines (often linked with bonuses for management for finishing early/under budget).
As it stands we have a market flooded by f**k-ups who think they're able to manage a project, who are paid well over £600/day, but are too moronic to listen to the highly paid experts when they tell them not to cut any corners. Only a poor crafts-man blames his tools.
No-one in their right mind would take a CTO job if this was the case.
You mean, nobody who doesn't know anything about security, how to enforce it and check that subordinates are indeed implementing said security would take the job.
And that's exactly the purpose.
Someone who cannot ensure that subordinates are doing what they're supposed to be doing should not be in any position of power. C-level management requires a person to have leadership skills, not being best golf-buddies with members of the board.
Anyone with that level of security knowledge would know that's it's essentially impossible to guarantee absolute security. While there's definitely a lot most companies could and should do, there's always going to be some zero-day exploit that could bite you. Spectre and Meltdown have shown we can't even trust the basic hardware underpinning everything.
Why would anyone take the risk that a new form of exploit out of your control could send you to jail? You'd have to be mad.
If you somehow think imposing this level of penalty would magically make everyone write every line of code from scratch, including the OS, and CPU microcode, to ensure every single byte has been thoroughly inspected, then you misunderstand how business works.
If you somehow think imposing this level of penalty would magically make everyone write every line of code from scratch, including the OS, and CPU microcode, to ensure every single byte has been thoroughly inspected, then you misunderstand how business works.
Of course it would would not magically happen, it would require real work. Things 'magically happen' because someone else will take care of it is the current way of thinking, where C-level management is absolved from any wrong-doing, because they're 'not able' to control what everyone else in the company is doing.
The key term here is 'due diligence'. Right now a lot of top management has no interest in ensuring they do a good job, since they are able to hide behind the excuse that they can't control what's happening on the lower rungs in the company.
misunderstand how business works.
I understand very well how businesses (and their internal politics) currently work and I also understand quite well what it would take to make them work well. You however don't seem to understand human nature.
Without an incentive to actually get off their ass, nothing will happen. Since larger and larger carrots don't seem to work, maybe it's time to apply the stick.
"Without an incentive to actually get off their ass, nothing will happen. Since larger and larger carrots don't seem to work, maybe it's time to apply the stick."
I agree with this statement, I just disagree that a stick which involves CTOs going to jail will be effective.
I actually think the GDPR, if it's actually implemented with vigour, provides a good stick - fining a company some large percentage of their global takings is a pretty decent incentive. But we'll see if companies wriggle out somehow.
fining a company some large percentage of their global takings is a pretty decent incentive.
Fines will be borne by the company, which will translate it into their cost. This means that with the large oligopolies that we're currently having, the customer eventually pays for the f**k-ups of poor management.
I am not saying CTOs should immediately go to jail without any investigation, but if their Security Officer has been warning the CTO time and time again that things need to be improved and the CTO doesn't act, the CTO did not perform his/her 'due diligence'. This should be at the very least a fire-able offence without pay / golden parachute.
The issue I have with this is that even if this happens (it does not), that incompetent previous C-level manager will happily start working somewhere else at the same level, due to his golf-buddies and f**k things up there.
Jail time seems to be the only way to actually get the message across. It doesn't even have to be years (I am actually against long incarceration), but even a few months being deprived of their freedom will quickly change not only their perception of the seriousness of the job, it will also change the perception of the next board looking to hire C-level managers.
I have no problem with competent managers being compensated properly. I have a problem with bumbling fools being elevated above their capabilities, f**king up things for all employees in the company, then move on to the next one using their golden parachute.
You can see from the relative swiftness and number of comms channels with which BA have informed their customers, that they are trying to mitigate any potential ICO fines under that part of the DPA 2018 legislation.
What remains to be seen is if future announcements follow previously attacked companies' behaviour: a slow drip of info that more customers were affected; that the attack had been going on much longer...
There's a very interesting post on PPRuNe which appears to challenge the idea of BA taking the protection of their customer's data seriously.
PPrune: Thread: BA hacked but they're 'deeply sorry' Posting: website security
To summarise with some quotations taken from the above post on PPRuNe by 'kristofera':
1) Boatloads of 3rd party JS loaded from external sources
2) No SRI signatures to ensure scripts have not been tampered with
3) No CSP header to block script from "other" sources to be injected...
I'm not an expert in any way shape or form in this area, but it doesn't sound good.
Just to reply to my own posting, the writer of the PPRuNe posting has their own blog which goes into more detail, posted in May this year.
KristoferA's blog:Things you probably don't want to do on your [airline] website's payment pages
I have no connection with KristoferA, but thought it might make an interesting, if sobering, read, especially for anyone involved in PCI-DSS compliance.
I wouldn't presume subresource integrity to be already a mainstream defense, but the absence of a CSP header and the script loaded from untrusted sources would typically qualify for an act of negligence on a website like BA's.
Now I'm not sure the CEO should be the one losing seat for this.
I'd need to know whether
1) security threat modelling teams did not spot the threat or issued poorly crafted warnings to the website project team,
2) whether some project manager skipped the requirement because "security stuff" or
3) whether a developer cheated by marking it "done" or
4) whether the security testing team didn't spot or follow up the issue or
5) wether the fix made it to the code and somehow did not end up on the website.
6) etc.
In such cases, root cause a analysis is key to understanding who or what processes were responsible to allow improvement. If BA just fires one person over this then we'll know they aren't doing RCA correctly.
I still cross paths with security testing teams that can't issue anything more detailed than a "setup a CSP header" instruction without explaining why or what should be in the header.
Subject: Group IT Cyber Security Update
From: John Hamilton
Sent: 01 August 2018 13:56
All,
Organisations across the world are facing a significant rise in more sophisticated and persistent cyber threat activity, and increasing regulatory requirements.
Group IT has been looking at a group solution to strengthen our capability to continue to protect IAG and its operating companies (OpCos). Internal and external reports undertaken highlight that further investment is required in cyber security across IAG to provide a group-wide strategic and proactive approach.
We have therefore outlined proposals to set up a Cyber Security Office and transfer the services of Cyber Security to a third-party partner, IBM, as a managed service to cover all cyber security services required to support IAG and its OpCos. Security Operations services will remain in Service Operations, Tower 3, in Service and Infrastructure.
This proposal has been approved by the British Airways Management Committee (MC) for the start of a collective consultation process with BA colleagues and their representatives. We will of course, listen to and evaluate any alternative proposals put forward and are committed to consulting with affected colleagues within the applicable local and legal frameworks.
We recognise and appreciate this proposal will mean a period of uncertainty and concern for colleagues working in the Cyber Security function. Should you have any questions or concerns, please speak to your line manager.
Regards,
John Hamilton and Laurie Diffey
John Hamilton | Group IT Service Effectiveness Manager
WTS
IAG GBS, Waterside (HAB2)
PO Box 365, Harmondsworth, Middlesex
UB7 0GB, United Kingdom
(sat nav UB7 0GA)
Agree the timing has some comedic elements to it but again its showing that many organisations just don't know how to run an effective SOC and in turn Cybersecurity practices. Skills are at a premium and surely its better to outsource this to vendors who can provide effective management of these processes. It seems most of orgs just capture everything via some SIEMS and react when the brown stuff explodes in their faces.
Bet you take front page media fallout and GDPR fines 'very seriously' though! BA robbed 2 grand off my family in denied flight refunds once. So forgive a moment of smugness here, but it feels good to watch executives squirm today.
Not that it will affect their bonuses. That's what GDPR needs to do next, Senior-Executive-Bonus-Clawback. Now that would concentrate minds 'very seriously'.
I have a BA Amex and I make bookings every week with BA. I just phoned the BA Amex card number (from India, where I am now) and there's a recorded message "We are aware blah....you are not liable blah....there is no need to take any action at this time".
So no panic from them, it seems.
My previous booking (in the time frame) was done on ba.com whilst logged in and I used my saved card details, just having to enter my CVV. I wonder if that helped or not, given that I didn't have to actually key in a bunch of stuff? Depends where the malware was plonked, I guess.
"Yes, and I always use the old one via BAEC as the new one is fugly and horrid to use."
The new one is both horrid to use and the business logic is completely broken.
For example, explicitly tell it you want flights departing from LHR (Heathrow) and it will give you answers for Gatwick and every other "somewhere near London" airport.
The result is instead of a page listing three or four flights, you're dumped with a page listing 20–30 which you then have to scroll through.
To steal (i.e. to commit theft) in English law is to 'permanently deprive' the victim of what is stolen. Unless the data were deleted at source by the perps after they got hold of it, it's exfiltration not theft. If the perps go on to take funds using the exflitrated card data that will be theft.
The spokesbeing on R4 this morning confirmed (a) 'all the data was encrypted' and (b) including CVV numbers.
Those familiar with PCI-DSS will be aware that two of its main requirements are that credit card data must be encrypted (tick), and that CVV numbers must NOT be retained on the system, even in encrypted form (whoops). The problem isn't so much with PCI-DSS in principle (though there are problems there, too), but the 'enforcement' mechanism. This is basically that the credit card provider will charge you more for transactions if you're not PCI-DSS and (more significantly) that it's the merchant who is responsible for settling any fraudulent transactions.
But this enforcement mechanism becomes almost irrelevant if you're a tier 1 customer, doing billions a year (like BA). These guys don't have the same arrangements with the credit card companies that a small corner shop would have, it's an individual deal and non-compliance with PCI-DSS isn't a deal-breaker (as long as you can say "yes we're aware of this issue an have plans in place to resolve it ...").
According to the Radio 4 interview, the following information was stolen
1) Credit Card number
2) Expiration date
3) CVV number
4) Name
5) DOB
And he wanted to tell how the information was stolen, but it was very complicated (subtext it was in a report he read, but it wasn’t written in a language he understood)
380,000 cards in 3 weeks? Seems like a lot. Apparently they fly 145,000 passengers/day, so if nothing else it's likely the attack was across the whole company not one region.
Co-inky-dinkly, my Amex card just got abused last night. At least twice, before I was able to make the call and get it blocked.
Nothing massive, just a couple of online services taking a preauth - possibly an abuser “testing” the numbers. Now I’ve not flown BA for a while: I probably have used that card number with them in the past, though it would be a different expiry and CID.
But there’s a few other orgs that held that card’s details, at least three of which are “big enough” to have been storing numbers themselves instead of a third party system. I hope none of them have been hit, for that would be very messy indeed.
"Should I call my bank or cancel my credit cards?
We recommend you contact your bank and follow their recommended advice."
Talk about passing the buck. WTF is 'recommended advice'?
Glad I'm not a customer (never liked them, especially since they started flying international only out of London).
"Under the GDPR, supervisory authorities will be given significantly more powers to enforce compliance and will have the power to impose administrative fines, in the case of an undertaking, of up to 4% of the total worldwide annual turnover of the preceding financial year"
Even though I've not booked on BA.com for over a year so unlikely affected, although not holding my breath... I thought I'd change my password as always good practice when a site get's compromised, but their password reset function appears broken, so right now can't even change password!!
I wonder if BA had a "chat" service to help customers during the booking process:
https://www.theregister.co.uk/2018/04/05/sears_delta_customer_payment_cards_hacked/
Quick clip from Radio 4 listing what was stolen:
https://www.bbc.co.uk/programmes/p06kjsw3
The full Radio 4 interview is worth listening to, more for what isn't said about the breach....
https://www.bbc.co.uk/radio/play/b0bgp8g6
Starts at 1:50:30
People seem to keen to blame third party javascript code and/or a hack on the website but given the long and precise date range over which data was stolen, Occam's razor suggests to me that a one-off theft of a single DB might be the truth. Of course, that would also suggest that they *were* storing CVV codes in their DB. But it does seem more likely to me than the notion that they had a compromised, busy public website on which a data leakage hack was able to operate unspotted for such a long time...
My work colleague mentioned she was hit by this hack a few days ago.
She claims they stole her AMEX details from BA and purchased a number of BA flights with it. I cannot help but think that is an odd choice for a hacker, passport control would be an adrenaline thrill wondering whether the flight had been flagged as fraud or not.
It's always a sophisticated attack isn't it. To start with they like to make out it was the equivalent of an 5yr long NSA funded Mossad developed program of industrial espionage.
In 3 months we'll find out they were hacked by a bright 11yr old that stumbled on one of their remote access logins with a null password.
Either that or a manager clicked on a phishing link really thinking he was getting "Genuine grad A top qwaliti Viagrae".
Oh and I've flown BA a few times with increasing levels of uselessness and farce followed by their best attempts at ignoring me in the complaint process. I've flown with many carriers including Ryanair and EasyJet and in my own personal experience BA have been the worst to use.
I was affected by the breach and got an email from them (without a lot of detail). I replied back asking for details and was given an undeliverable message
"mr1-0.bo3.e-dialog.com rejected your message to the following email addresses:
Your message couldn't be delivered because the recipient's email system reported the following error: '550 5.8.5 For security reasons we do not accept messages containing images or other attachments. We respectfully suggest you remove any image or attachment (this may be your corporate signature) and resend. Thank you."
Turns out it was the images in their message to me include in the reply string - I deleted that and my message got through to them (but no reply yet). Seems a bit odd to send an email and then reject a reply because it's potentially insecure due to their own message ...
Been in IT for 20 years now. Seen a lot of the India outsourcing companies and how they operate and they never come close to a UK team competence.
I'll have to keep my comments light for libel reasons. I've worked with TCS personally and I have personally experienced a lack of technical skills when they were claiming to be specialists. That's especially hard to take when you see someone that is competent being made redundant to make room for them. In the end, you build a rapport with the TCS technicians, after all, they are human and they are merely a cog in the Tata machine. When you find yourself having to find an extra number of hours a week to clean up after them though, it gets harder to digest.
When I worked with them, I found myself scrutinising everything they did. Reviewing every line of code and config, because the level of inconsistencies and errors was high. We found ourselves constantly chasing TCS for actions which ultimately, delayed projects and caused additional expense in onshore teams due to replanning and repeat effort. I have personally seen a farm of servers built by TCS. Every single server looked different and had it's own problems. Classic inexperienced stuff like setting different file ownership/permissions on each server which left a server open to an attack. This is the sort of thing an experienced member of staff solves with scripting and automation.
The costs of outsourcing are not clear. There is an indirect cost on everyone else, covering up and keeping the business running.
You would think these outsourcing companies would learn from their mistakes, but that takes personal responsibility and that isn't profitable. I have worked with a TCS team that changed it's staff on a monthly basis. It just felt like setback after setback. Instead of continuos improvement, you find yourself training the next offshore guy because the previous offshore guy told him half a story and didn't write up a process for transition.
I could blame TCS all day long for this sort of stuff, but I have to hold UK based Project Managers and Senior Managers accountable. They are the ones hiring these guys. They are the ones not holding them to account. They are often the ones that do not know IT and are merely there because they know the business. They are the ones that might have done some coding 20 years ago when things were very different and are therefore out of touch. They are the ones that are not auditing offshore for their true cost and just accepting this as IT culture. The sooner IT starts treating bugs and defects as incompetence, the better. Right now, you're a hero when you release something broken and fix it. I can't think of any other profession where you reward a tradesman for making a mess of the first attempt, then pay him extra to fix it and take him/her out on a night out to celebrate.