British Airways Breach

The fine being imposed British Airways following cyber-attack on its customer database has been reduced to £20 million from a previous figure of £183 million, which takes into account BA’s response and the financial impact of the  Coronavirus pandemic. Investigation by the UK’s Information Commissioner’s Office found that the airline was processing a “significant amount” of personal data “without adequate security measures in place”.

BA was the subject of a cyber-attack during 2018, which it did not detect for more than two months.

Over the course of 22 June to 5 September 2018 a criminal gained access to an internal British Airways application through the use of “compromised credentials” for a remote-access gateway, says the Office’s formal penalty notice.It adds that British Airways alerted it to the breach on 6 September and, while it “does not admit liability” for the breach of European data-protection regulations, the airline has “co-operated fully” with the investigation.

The inquiry has nevertheless found that the carrier “failed to process the personal data of its customers in a manner that ensured appropriate security of the data”.

The breach began when the cyber-attacker obtained access to log-in credentials for an employee of cargo-handler Swissport. British Airways believes the attacker was able to “launch tools and scripts that the remote-access gateway would ordinarily have blocked” and bring in tools from outside the environment, which were then used to “conduct network reconnaissance”. This reconnaissance enabled the attacker to access the log-in and password of a privileged domain administrator account. “Access to such domain administrator credentials therefore gave the attacker virtually unrestricted access to the relevant compromised domain,” the Office states. 

The attacker gained database system administrator credentials and, on 25 June 2018, successfully logged into three servers, subsequently locating files containing payment card details.

These files were actually a test feature and not intended to be part of British Airways’ live system, the Office found, but they had been left active. This meant the system had been unnecessarily logging payment card details since December 2015, although each was only retained for 95 days. This left 108,000 payment cards exposed.

The attacker went further in mid-August 2018, setting up a redirect to a different website, branded ‘BAways’, which copied the payment card data of customers booking with the airline online. 

This remained active for about two weeks before a third party informed the carrier of the redirect, whereupon the airline contained the vulnerability within 90min.British Airways has since made “considerable improvements” to its IT security, the Office states.

British Airways states that it is “pleased” that the Office recognises its security enhancement efforts, as well as its co-operation with the probe.

Because the BA breach happened in June 2018, before the UK left the EU, the ICO investigated on behalf of all EU authorities as lead supervisory authority under the GDPR. The penalty and action have been approved by the other EU DPAs through the GDPR’s cooperation process.

In June 2019 the ICO issued BA with a notice of a fine. As part of the regulatory process the ICO considered both representations from BA and the economic impact of COVID-19 on their business before setting a final penalty.

NCSC:        Guardian:       ICO:         BBC:         Flight Global:  

You Might Also Read:

Nine Million EasyJet Customers Hacked:

Air Travel Needs Stronger Cyberscurity

 

« IBM Restructures To Concentrate On The Cloud
Russian Spies Attacked Olympic Games With Malware »

Perimeter 81

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Cylance Smart Antivirus

Cylance Smart Antivirus

An antivirus that works smarter, not harder, from BlackBerry. Lightweight, non-intrusive protection powered by artificial intelligence. BUY NOW - LIMITED DISCOUNT OFFER.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

DigitalStakeout

DigitalStakeout

A simple and cost-effective solution to monitor, investigate and analyze data from the web, social media and cyber sources to identify threats and make better security decisions.

WEBINAR: How to fuel your DevSecOps in AWS

WEBINAR: How to fuel your DevSecOps in AWS

Thursday, May 20, 2021 - In this webinar, SANS and AWS Marketplace will discuss how to build a strategy that encompasses visibility and automation for the DevSecOps pipeline in AWS.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

eBook: Practical Guide to Security in the AWS Cloud

eBook: Practical Guide to Security in the AWS Cloud

AWS Marketplace would like to present you with a digital copy of the new book, Practical Guide to Security in the AWS Cloud, by the SANS Institute.

Skyhigh Networks

Skyhigh Networks

Skyhigh is the leading cloud access security broker (CASB) trusted by enterprises to protect their data in thousands of cloud services.

Tripwire

Tripwire

Tripwire are a leading provider of risk-based security, compliance and vulnerability management solutions.

iStorage

iStorage

iStorage is the leading global provider of PIN Activated, hardware encrypted, portable data storage solutions.

Backup Systems

Backup Systems

Backup Systems is a leading backup and disaster recovery systems provider across the UK.

SecBI

SecBI

SecBI provides an advanced threat detection system that uncovers the full scope of cyber attacks, including all affected users, domains, assets, and more.

IXDen

IXDen

iXDen provides a software solution that secures critical infrastructures, industrial systems and smart cities against attacks through network connected IoT devices.

Level Effect

Level Effect

Level Effect is developing new capabilities to bring a unique perspective on proactive network defense and advanced security analytics.

Anitian

Anitian

The Anitian Compliance Automation platform builds, configures, and monitors cloud environments to accelerate compliance for standards such as FedRAMP, PCI, ISO/GDPR and CJIS.

Cloudsine

Cloudsine

Cloudsine (previously Banff Cyber Technologies) is a cloud technology company specializing in cloud adoption, security and innovation.

Ustels

Ustels

Ustels provides brand protection strategy, intelligence, monitoring and enforcement services.

My Cyber Risks

My Cyber Risks

Small businesses need simpler and affordable cyber protection. We help small businesses understand, mitigate and insure their online risks and reputation.