British Airways Breach

Uploaded on 2020-10-21 in TECHNOLOGY--Hackers, FREE TO VIEW, BUSINESS-Services-Transport & Travel

The fine being imposed British Airways following cyber-attack on its customer database has been reduced to £20 million from a previous figure of £183 million, which takes into account BA’s response and the financial impact of the  Coronavirus pandemic. Investigation by the UK’s Information Commissioner’s Office found that the airline was processing a “significant amount” of personal data “without adequate security measures in place”.

BA was the subject of a cyber-attack during 2018, which it did not detect for more than two months.

Over the course of 22 June to 5 September 2018 a criminal gained access to an internal British Airways application through the use of “compromised credentials” for a remote-access gateway, says the Office’s formal penalty notice.It adds that British Airways alerted it to the breach on 6 September and, while it “does not admit liability” for the breach of European data-protection regulations, the airline has “co-operated fully” with the investigation.

The inquiry has nevertheless found that the carrier “failed to process the personal data of its customers in a manner that ensured appropriate security of the data”.

The breach began when the cyber-attacker obtained access to log-in credentials for an employee of cargo-handler Swissport. British Airways believes the attacker was able to “launch tools and scripts that the remote-access gateway would ordinarily have blocked” and bring in tools from outside the environment, which were then used to “conduct network reconnaissance”. This reconnaissance enabled the attacker to access the log-in and password of a privileged domain administrator account. “Access to such domain administrator credentials therefore gave the attacker virtually unrestricted access to the relevant compromised domain,” the Office states. 

The attacker gained database system administrator credentials and, on 25 June 2018, successfully logged into three servers, subsequently locating files containing payment card details.

These files were actually a test feature and not intended to be part of British Airways’ live system, the Office found, but they had been left active. This meant the system had been unnecessarily logging payment card details since December 2015, although each was only retained for 95 days. This left 108,000 payment cards exposed.

The attacker went further in mid-August 2018, setting up a redirect to a different website, branded ‘BAways’, which copied the payment card data of customers booking with the airline online. 

This remained active for about two weeks before a third party informed the carrier of the redirect, whereupon the airline contained the vulnerability within 90min.British Airways has since made “considerable improvements” to its IT security, the Office states.

British Airways states that it is “pleased” that the Office recognises its security enhancement efforts, as well as its co-operation with the probe.

Because the BA breach happened in June 2018, before the UK left the EU, the ICO investigated on behalf of all EU authorities as lead supervisory authority under the GDPR. The penalty and action have been approved by the other EU DPAs through the GDPR’s cooperation process.

In June 2019 the ICO issued BA with a notice of a fine. As part of the regulatory process the ICO considered both representations from BA and the economic impact of COVID-19 on their business before setting a final penalty.

NCSC:        Guardian:       ICO:         BBC:         Flight Global:  

You Might Also Read:

Nine Million EasyJet Customers Hacked:

Air Travel Needs Stronger Cyberscurity

 

« IBM Restructures To Concentrate On The Cloud
Russian Spies Attacked Olympic Games With Malware »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Bob's Business

Bob's Business

Bob's Business adopts a fresh approach to information security awareness and compliance training, delivering key information through the use of short animated movies.

Information Security Media Group (ISMG)

Information Security Media Group (ISMG)

Information Security Media Group is the world’s largest media organization devoted solely to information security and risk management.

SentinelOne

SentinelOne

SentinelOne is a pioneer in delivering autonomous security for the endpoint, datacenter and cloud environments to help organizations secure their assets with speed and simplicity.

SAI360

SAI360

SAI360 (formerly SAI Global) provide products and services for enterprise risk management including Governance, Risk & Compliance and Digital Risk solutions.

CSC Cyber Games

CSC Cyber Games

CSC Cyber Games is an innovative platform dedicated to empowering individuals with the tools and knowledge to excel in the ever-evolving world of cybersecurity.

totemo

totemo

Totemo offers solutions for the secure exchange of business information.

Information and Communication Technology Authority (ICT Authority) - Kenya

Information and Communication Technology Authority (ICT Authority) - Kenya

The ICT Authority is responsible for enforcing ICT standards in Government and ensuring information security.

Industrial Control System Information Sharing and Analysis Center (ICS-ISAC)

Industrial Control System Information Sharing and Analysis Center (ICS-ISAC)

ICS-ISAC is a non-profit, public/private Knowledge Sharing Center established to help facilities develop situational awareness in support of local, national and international security.

CloudBolt Software

CloudBolt Software

CloudBolt provide solutions for your toughest cloud challenges. From automation, to cost and security, and hybrid IT governance — we have you covered.

Melius CyberSafe

Melius CyberSafe

Melius CyberSafe has developed a world-leading SaaS platform built around continuous assessment and improvement through vulnerability scanning and penetration testing.

SecureTech360

SecureTech360

SecureTech360 is a cybersecurity and IT consulting firm whose principals have extensive experience in Cybersecurity and Information Technology.

Cyber Bytes Foundation

Cyber Bytes Foundation

Cyber Bytes Foundation exists to establish and sustain a unique Cyber Ecosystem to accelerate the development of a strong Cyber workforce and support community outreach programs.

SecurityGen

SecurityGen

SecurityGen is a global cybersecurity start-up focused on telecom security, with a focus on 5G networks.

Endor Labs

Endor Labs

Endor Labs gives developers and security teams the context they need to prioritize open source risk.

VeriBOM

VeriBOM

VeriBOM is a SaaS security and compliance platform that helps protect you and your customers through automation, documentation, and transparency for every software application you build or run.

Liverton Security

Liverton Security

Liverton Security is a New Zealand-owned cyber security provider offering consultancy and security-related products to government and commercial customers throughout New Zealand.