‘Customer data theft’. That is the grim message now greeting visitors to British Airways’s UK website. ‘We are investigating the theft of customer data from our website and mobile app’, it says. ‘The website is now working normally’.
The website might now be fine, but it will probably take a little longer for the rest of the company’s operations to get back to normal. The data theft, the website explains through a link, took place between August 21 and September 5 and involved ‘personal and financial details of customers’ making or changing bookings on ba.com and through the mobile app.
‘The data did not include travel or passport details. We understand that this incident will cause concern and inconvenience. We are contacting all affected customers to say sorry, and we will continue to update them in the coming days’, the website continues.
What British Airways (BA) does not say on its website is that as many as 382,000 customers were hit and that they lost records of their names, addresses, and payment card information, including the number, expiry date, and security code of any credit card used. That kind of information is highly valuable for sale or use.
After BA revealed on Friday that the data theft had occurred, the airline’s booked passengers scrambled to protect themselves. Many immediately cancelled their credit cards, but many more found it had already been done for them. Several British banks, including Santander and Barclay’s, unilaterally cancelled and re-issued any of their cards that had been used in the British Airways system between the dates in questions.
Our fault, but you pay
All would-be travellers, like one Bangkok-based English businessman working in the defence, military, and security industries, received emails from BA informing them of all their information that had suddenly become criminally available.
‘Unfortunately this information could be used to conduct fraudulent transactions using your account. We recommend that you contact your bank or credit card provider immediately and follow their advice’, the email warned.
The Bangkok-based businessman said he went further. Fearing that more information than revealed could have been stolen from BA’s servers, such as maintenance schedules and flight plans he cancelled his flight, at what he calls ‘considerable expense’, and has vowed never to fly British Airways again.
British Airways in Bangkok told the man that there was no waiver of its cancellation policy, and cancelling his return business-class flight to London, would cost him Bt11,000 (about US$335), even though he was cancelling because of their data theft
|An affected British Airways customer has his say. Video: J4vv4D
“Though I might worry about my home being burgled while I am in England, as the dark web now apparently has access to most of my personal details, I was more worried about flying over or near Russian air space with a carrier of dubious IT security at a time when relations between the UK and Russia are somewhat strained”, he explained.
Another disgruntled victim of the BA hack was Javved, who posted his reaction on YouTube, remarking on the length of time the hackers were able to stay in the system.
‘That’s like my wife saying: Oh, I left the porch door open. Oh what, overnight? No, for the last three and a half years!’
Javved complains that the emails sent by British Airways only wasted his time and compares the company’s website to tangled earphone wires.
Billion dollar class-action suit
Cancelled bookings, disgruntled customers, and regulatory investigations aren’t the company’s biggest headache. British Airways is facing a potential £897 million ($1.17 billion) fine for letting the data theft happen and, in addition, it may have to pay each affected customer more than just the reimbursement of the ‘direct financial losses‘ the company has already promised.
SPG Law, the U.K. branch of US law giant Sanders Phillips Grossman has launched a class-action suit seeking orders that British Airways pay compensation of up to £1,250 ($1,600) to each victim for ‘non-material losses’ as covered by the latest version of the Data Protection Act.
“Unfortunately, this is the latest in a number of catastrophic failures in BA’s IT systems”, said SPG Law partner Tom Goodhead, adding “Unlike previous failures, however, this data breach has caused serious inconvenience and distress to nearly 400,000 people. BA is liable to compensate for non-material damage under the Data Protection Act 2018 and SPG Law will hold them to account.”
Meanwhile, a cyber-investigator with an American digital threat management company, who has had success looking into high-profile hacks, says he may have figured out how the BA website was breached.
In a report published on his company blog, RiskIQ threat researcher Yonathan Klijnsma reported that his team had discovered that a ‘threat group’ named Magecart had forced its way into the BA website by rewriting 22 lines of script on the baggage claim information page, which was outmoded and provided a back way in.
That was enough, Mr Klijnsma wrote, to let the hackers receive private information every time 382,000 people let go of a mouse or took their fingers off their computer touchpads while on the BA site.
Hackers had ‘substantial access’ to BA systems
“As we’ve seen in this attack, Magecart set up custom, targeted infrastructure to blend in with the British Airways website specifically and avoid detection for as long as possible”, Mr Klijnsma wrote.
“While we can never know how much reach the attackers had on the British Airways servers, the fact that they were able to modify a resource for the site tells us the access was substantial, and the fact they likely had access long before the attack even started is a stark reminder about the vulnerability of web-facing assets.”
Attempts by AEC News Today to seek comment from British Airways by email and via Twitter were not responded to.
Feature photo: Pauls Imaging Photography
- How Hackers Slipped by British Airways’ Defenses (Wired)
- British Airways CEO apologizes after more than 380,000 people impacted by data breach (Global News)
- British Airways breach: How did hackers get in? (BBC News)
- China 1937CN Team Infiltrate Vietnam Airlines, Airports (AEC News Today)
John Le Fevre in Bangkok contributed to this story