British Airways has suffered a data breach and has confirmed that personal and financial details of some 380,000 customers have been compromised.

About the breach

“From 22:58 BST August 21 2018 until 21:45 BST September 5 2018 inclusive, the personal and financial details of customers making or changing bookings on our website [ba.com] and [mobile] app were compromised,” the company stated. “The stolen data did not include travel or passport details.”

There is no indication yet of how the breach happened. The police and relevant authorities have been notified.

The company began notifying affected users directly and advising them to keep an eye on their bank accounts and to contact their banks or credit card providers and follow their recommended advice.

“Every customer affected will be fully reimbursed and we will pay for a credit checking service. We take the protection of our customers’ data seriously, and are very sorry for the concern that this criminal activity has caused. We will continue to keep our customers updated with the very latest information. We will be contacting customers and will manage any claims on an individual basis,” the company added.

As a precaution, customers could also reset their ba.com password and choose a new strong and unique one.

BA said that “the incident has been resolved and all systems are working normally so customers due to travel can check-in online as normal.”

Expert reactions

“This is not the whole story. Air Canada was hacked and between August 22 and August 24 customer’s passport details may have been compromised. The overlapping dates are probably a blessing as the odds are small that the same customers booked both airlines in the two day window of overlap,” commented Randy Abrams, a senior security analyst at Webroot. “In both cases, this is data that now may be available to cybercriminals to aggregate and correlate to build significantly comprehensive profiles.”

Mark Adams, Regional Vice President of UK & Ireland, Veeam, noted that the fact British Airways reported the breach so quickly is a positive.

“While it is unclear who is fully responsible for the detection of this security incident, the subsequent communications have been positive; many could learn from the handling of this. Unfortunately breaches can happen to any business and while BA remain on the backfoot to ensure this doesn’t happen again, it’s important to highlight why all businesses need to be far more proactive in managing data and systems, and getting security and monitoring of data right up front,” he noted.

“To reduce the chances of breach complaints and payment of heavy fines, businesses have several steps they can take. First and foremost, work to deliver a company-wide employee training program on data protection and phishing attacks. Human-led errors are still the weakest link in the security chain for a business. From a technology standpoint, implementing intelligent data management tools that can monitor, automatically spot irregularities and act accordingly is critical. Data collected by an organisation the scale of airline is vast; and they are a prime example of the type of business that needs to move from a policy-based mindset of security and data management to an automated, behaviour led approach that scan spot inaccuracies and obscure patterns in data usage.”

Ilia Kolochenko, CEO of High-Tech Bridge, noted that Shadow IT and legacy applications are a plague of today.

“Large organizations have so many intertwined websites, web services and mobile apps that they often forget about considerable part of them. On the other side, cybercriminals are very proactive, and as soon as a new vulnerability is discovered in a popular CMS they start exploiting it in the wild. Obviously, abandoned systems remain unpatched for years and serve a perfect prey to the attackers.”