BA apologizes after 380,000 customers hit in cyber
attack
Send a link to a friend
 [September 08, 2018]
By Paul Sandle
LONDON (Reuters) - British Airways
apologized on Friday after the credit card details of hundreds of
thousands of its customers were stolen over a two-week period in the
most serious attack on its website and app.
The airline discovered on Wednesday that bookings made between Aug. 21
and Sept. 5 had been infiltrated in a "very sophisticated, malicious
criminal" attack, BA Chairman and Chief Executive Alex Cruz said. It
immediately contacted customers when the extent of the breach became
clear.
Around 380,000 card payments were compromised, the airline said, with
hackers obtaining names, street and email addresses, credit card
numbers, expiry dates and security codes - sufficient information to
steal from accounts.
The attack came 15 months after the carrier suffered a massive computer
system failure at London's Heathrow airport, which stranded 75,000
customers over a holiday weekend.
Shares in BA's parent, International Airlines Group, were down 2 percent
in afternoon trading on Friday.
Cruz said the carrier was "deeply sorry" for the disruption caused by
the attack which was unprecedented in the more than 20 years that BA had
operated online.
He said the attackers had not broken the airline's encryption but did
not explain exactly how they had obtained the customer information.
"There were other methods, very sophisticated efforts, by criminals in
obtaining the data," he told BBC radio.
IT security company Avast said that based on the limited information
available the attackers had probably targeted a gateway between the
airline and a payment processor because no travel details had been
stolen.
"Quite often, when it's just a hack of a database somewhere it is hard
to identify when something has been compromised," Avast's consumer
security expert Pete Turner said.
"This feels much more like a transaction-type attack, where data is
moving about within the system."
COMPENSATION
Britain's government said authorities including the National Cyber
Security Centre and the National Crime Agency, part of the country's
police, were piecing together what happened.
"Specialist officers from the NCA's National Cyber Crime Unit are
managing the ongoing investigation and are on site working with BA to
gain a better understanding of the incident," the NCA said.
[to top of second column] |
British Airways logos are seen on tail fins at Heathrow Airport in
west London, Britain, February 23, 2018. REUTERS/Hannah McKay/File
Photo
The country's Information Commissioner's Office said it had been alerted by BA
and it was making enquiries. Under new GDPR data regulations companies must
inform regulators of a cyber attack within 72 hours.
BA advised customers to contact their bank or credit card provider and follow
their recommended advice. It also took out ads in national newspapers on Friday.
Cruz said anyone who lost out financially would be compensated by the airline.
Data security expert Trevor Reschke said that like any website which sees large
volumes of card transactions, BA was a ripe target for hackers.
"It is now a race between British Airways and the criminal underground," said
Reschke, head of threat intelligence at Trusted Knight.
"One will be figuring out which cards have been compromised and alerting
victims, whilst the other will be trying to abuse them while they are still
fresh."
NatWest, one of Britain's biggest card issuers, said it was receiving
higher-than-usual call volumes because of the breach.
It said in a recorded message that its security systems would likely stop any
fraud as a result of the hack but anyone affected should look out for unusual
activity on their accounts.
American Express said clients did not need to take any action and the company
would alert anyone with unusual activity on their cards.
IAG said the data breach had been resolved and the website was working normally,
and that no travel or passport details were stolen.
After the computer system failure in May 2017, BA said it would take steps to
ensure such an incident never happened again, but in July it was forced to
cancel and delay flights out of the same airport due to problems with a
supplier's IT systems.
(Reporting by Paul Sandle and James Davey in London and Sangameswaran S and Rama
Venkat Raman in Bengaluru; Editing by Keith Weir and Louise Heavens)
[© 2018 Thomson Reuters. All rights
reserved.] Copyright 2018 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.
Thompson Reuters is solely responsible for this content. |
