Another massive Data Breach – BA Hacked

Following confirmation in August by Dixons Carphone (owners of Currys PC World, Carphone Warehouse, Mobiles.co.uk and Dixons Travel (the airport tech retailer) that c10m records had been stolen, British Airways have now announced that the Credit Card information of at least 380,000 customers has been hacked.

The airline (part of International Airlines Group – formed when BA joined forces with Iberia in 2011) confirmed that from 22:58 BST August 21st 2018 until 21:45 BST on September 5th 2018 the personal and financial data of customers making bookings on ba.com and the airlines own app were compromised.

Whilst BA continues to investigate the breach and its cause, a cyber security firm (RiskIQ) have analysed code and found what they believe to be malicious script injected in to the BA website and app which effectively skimmed the site to steal financial data.

According to RiskIQ the skimmer (known as Magacart) is similar in design to that used to compromise the Ticketmaster website previously, however, it was altered to attune to how the BA website payments page is designed. It appears that the hackers even acquired a SSL certificate to authenticate the code as genuine.

BA has advised the affected customers to contact their bank or card provider and follow their recommended advice. BA has further confirmed that financial losses directly attributed to this theft will be reimbursed.

This is a further embarrassment to BA who in July had to cancel the flights for some 7,000 passengers due to failure of another of their IT systems and in May 2017 a ‘power outage’ resulted in cancellation of hundreds of flights over a Bank Holiday weekend.

Following the introduction of the General Data Protection Regulation (GDPR) new rules in May 2018, this latest breach could result in a fine running in to many £millions. The Information Commissioner’s Office has confirmed that it is aware of the incident and is investigating.

In their Dec 2017 accounts BA announced total revenue at £12.2bn and as such the maximum fine that could be imposed by the ICO under GDPR is €20m or 4% of global turnover (up from previous £500k) resulting in a maximum fine of £489m.

If it is your job to protect your company from such a potentially devastating outcome Focus on Training can help with a wide range of Security, Cyber and Governance, and GDPR courses including: