Tomasz Zajda - stock.adobe.com

British Airways data breach worse than thought

British Airways has admitted that up to 185,000 more people than first thought may have had personal details compromised in August’s data breach

British Airways (BA) has revealed that its August 2018 data breach affected 185,000 more customers than first thought, bringing the total number of victims to more than 500,000.

BA’s swift response to the breach – which compromised the personal and financial details of people making bookings and changes on its website and mobile app between 10:58pm on 21 August 2018, and 9:45pm on 5 September 2018 – earned it plaudits from security commentators.

Since then, the airline said, it has been working closely with forensic investigators and the National Crime Agency, and has now found that hackers may have stolen additional personal data.

In light of this, it is notifying the holders of 77,000 payment cards that their names, postal and email addresses, and card details may have been compromised, including the crucial card verification value (CVV), and an additional 108,000 without CVV.

These customers were only those who made reward bookings using a credit or debit card between 21 April and July 28 2018, it added.

“While we do not have conclusive evidence that the data was removed from British Airways’ systems, we are taking a prudent approach in notifying potentially affected customers, advising them to contact their bank or card provider as a precaution,” said the airline in a statement. All affected passengers will be notified by 5:00pm on Friday 26 October, it added.

“In addition, from the investigation we know that fewer of the customers we originally announced were affected. Out of the 380,000 payment card details announced, 244,000 were affected. Crucially, we have had no verified cases of fraud,” said BA.

“We are very sorry that this criminal activity has occurred. As we have been doing, we will reimburse any customers who have suffered financial losses as a direct result of the data theft and we will be offering credit rating monitoring, provided by specialists in the field, to any affected customer who is concerned about an impact to their credit rating.”

The incident could become the first major test case of the European Union’s General Data Protection Regulation (GDPR) laws, and the UK’s aligned laws.

In contrast, earlier this week Hong Kong flag carrier Cathay Pacific, which is closely tied to BA through their membership of the OneWorld airline alliance, revealed it has been covering up a data breach that affected 9.4 million people may have been compromised since March 2018.

The breach of Cathay’s systems dwarves that of BA’s, and includes 860,000 passport numbers, 245,000 Hong Kong ID card numbers, as well as credit card details, names, nationalities, birth dates and historical travel information – all extremely valuable information to cyber criminals.

Rusty Carter, vice-president of product management at Arxan, said it was becoming a bad week for airline passengers, and the two breaches raise serious questions on how the travel industry is securing both its networks and customer data.

“Whilse the gap in their [BA’s] security may have been plugged back in September, it is concerning that this incident, which went on for a considerably longer period of time than the previous two weeks, has only now been uncovered as part of an ongoing investigation,” he said.

“It demonstrates that enterprises still do not have in place robust enough security to protect their back-end systems and databases, or the measures in place to identify these attacks in real time and cut them off as soon as abnormal activity is detected.

“It is not beyond the means of organisations, especially those that process and manage such sensitive and critical information, to put in place tools that can analyse and detect threats or the exfiltration of data over a significant period of time.”

This was especially important, said Carter, because it would then put the onus on affected customers to notify their financial services providers for any fraud they may become a victim of.

LogRhythm vice-president and Europe, Middle East and Africa (Emea) managing director, Ross Brewer, added: “If I were BA, I would be very worried about the impact both breaches will have on the company’s reputation. The fact that both data breaches have taken place in the past six months is extremely worrying – and very embarrassing for the airline.

“One of the biggest concerns with both is that they have involved the theft of personal and financial information, which increases the severity of a data breach. With credit or debit card information, it can make it much easier for hackers to commit identity fraud, as well as purchase items online, which will cause further headaches for victims as they race to cancel their cards.

“BA is a well-respected British company that prides itself on customer service and reliability, but these breaches indicate that this doesn’t extend to all areas of the business.”

Read more about personal data security

Read more on Data breach incident management and recovery