Avatar photo


Author Bio ▼

Adam Bannister is a contributor to IFSEC Global, having been in the role of Editor from 2014 through to November 2019. Adam also had stints as a journalist at cybersecurity publication, The Daily Swig, and as Managing Editor at Dynamis Online Media Group.
September 7, 2018


Lithium-Ion batteries. A guide to the fire risk that isn’t going away but can be managed


British Airways breach: Outsourcing, legacy systems and even GDPR under fire

The British Airways breach has prompted cybersecurity experts to cite outsourcing, a profusion of overlapping IT systems and even GDPR as potential contributory factors.

The airline is investigating the theft of hundreds of thousands of customers’ personal and financial details.

Some 380,000 payments were compromised during a two-week period between August 21 and September 5. Customers who made bookings through ba.com or the airline’s app are being urged to contact banks and credit card providers.

The news comes just a few days after a similar hack of Air Canada’s app, which compromised thousands of customers’ personal details – most alarmingly including passport numbers. The BA hack is reported to not involve travel or passport details.

Randy Abrams, senior security analyst at Webroot, said the ramifications of two separate hacks on major airlines were troubling. “In both cases, this is data that now may be available to cybercriminals to aggregate and correlate to build significantly comprehensive profiles.”

“The decision to outsource the majority of BA’s IT to India is yet again coming back to haunt them” Rob Burgess, editor, Head for Points

Rob Burgess, editor of UK frequent flyer website Head for Points, told the Telegraph that British Airways’ decision to outsource IT functions was now under the microscope. “Following on from the IT meltdown last year, it seems that the decision to outsource the majority of BA’s IT to India is yet again coming back to haunt them,” he said.

Many customers have taken to social media to complain at a lack of communication from the airline.

But one leading cybersecurity expert praised BA for its rapid and transparent response to the hack. “BA’s reaction is very fast,” said Ilia Kolochenko, CEO of High-Tech Bridge. “The company’s transparency and frankness serve as a good example to other companies who are prone to minimising the consequences.”

Aviation under cyber-attack: Three more recent data breaches

  • Last week Air Canada reported data theft affecting 20,000 customers
  • In July, Thomas Cook confirmed that names, emails and flight details had been accessed, but said fewer than 100 bookings were affected
  • In May, US airline Delta admitted that two breaches occurred during September and October 2017

BA’s prompt notification of the Information Commissioner’s Office could be seen as vindication of GDPR, which stipulates that companies must inform regulators within 72 hours of becoming aware of a data breach and imposes punitive fines for non-compliance.

However, Kolochenko suggested that GDPR might have had an unforeseen adverse effect.

“Cybercriminals are very proactive, and as soon as a new vulnerability is discovered in a popular CMS they start exploiting it in the wild. Obviously, abandoned systems remain unpatched for years and serve as a perfect prey to the attackers.

“Web applications are the Achilles’ heel of modern companies and organisations. Lawmakers make their lives even more complicated, as for example with GDPR, many organisations had to temporarily give up their practical cybersecurity and concentrate all efforts on paper-based compliance.

“New cybersecurity regulations may do more harm than benefit for the society if improperly imposed or implemented.”

“Questionable at best”

Randy Abrams noted that both breaches “affected mobile app users. While no mention was made of iOS or Android, the security of mobile apps financial, especially on Android is questionable at best.

“Although great efforts are made to secure the mobile apps, credential theft is not uncommon. In this case, mobile access from a “trusted” device from an expected location can defeat certain types of heuristics that otherwise would have raised alarm.

“The wisdom of conducting financial transactions on an Android device in particular, is of question. Mobile security products can be used to help prevent malicious apps from compromising devices. If a consumer chooses to conduct financial transactions on a mobile device, the additional security is effectively mandatory.”

“BA have provided a very short, specific date range where data may have been compromised.” Chris Boyd, lead malware analyst, Malwarebytes

Chris Boyd, lead malware analyst at Malwarebytes, said British Airways had made tackling the problem easier by narrowing down the time frame of attack: “The only good thing we can say about this breach is that BA have provided a very short and specific date range where data may have been compromised. Typically, we’re lucky to get a date range of less than six months to a year, which makes a potential victim’s response to any threat difficult.

“This could end up being a major test of new GDPR regulations, and it’ll be fascinating to see the cause of the breach come out in the wash.”

Graeme Newman, head of innovation at insurer CFC, said he’d “be surprised if BA were hit with a significant fine by the ICO” and praised the company for detecting “the breach so quickly”. Some US-based companies, he pointed out, had taken “over a year to notice” breaches.

He noted that “BA took the relatively unusual step of notifying by taking out whole page adverts in the mainstream media. Not only was this costly but it also significantly raised the profile of the incident.”

But he suggested BA would not escape all censure from the authorities, pointing to “evidence that they were warned about the lack of security in their payment applications over a year ago. Their size combined with the fact they did nothing to act upon this advice could well result in a strict investigation by data protection authorities.”

“Bank liabilities”

However, BA’s biggest worry is their bank liabilities, said Newman. “Two banks have already re-issued cards to affected cardholders (this costs £5-£7 per card) and they will be required to reimburse the banks for any fraud conducted on the cards (could easily exceed £5m on this size breach).

Newman noted that “because the affected individuals all made bookings through either their app or their website so they would have had reliable email addresses for the entire breached population.”

And he believed that offers of “credit monitoring to affected individuals” were “entirely ineffective given that they are dealing with a payment card breach” because “payment card charges do not hit individual’s credit reports.”

Although Kolochenko insisted that it’s “too early to make any definitive conclusions prior to a holistic technical investigation of the breach and its origins”, the hack also highlighted the problem of managing multiple systems.

“Shadow IT and legacy applications are a plague of today. Large organisations have so many intertwined websites, web services and mobile apps that they often forget about considerable part of them.”

Abrams offered this advice to BA customers: “While BA has assured the public that the affected customers will be notified, we often see the estimated number of affected individuals grow over time. It is probably best for all of the customers who booked during this time frame to talk to their banks and set up two-factor authentication.”

Related Topics

Notify of
Inline Feedbacks
View all comments