Not what you want to see when you’ve just paid for a holiday!
As reported across major news networks over the world, British Airways has suffered a data breach that not only includes customer data but also includes payment details. Details from 380,000 customers have been accessed by an unauthorised third party. More details can be found on news sites such as:
It’s likely that attackers have compromised a web service which is linked to payment services, however no specific details have been released yet so until then we can only speculate.
In this post we look at the information reported by British Airways, guidance for customers from BA, ourselves and NCSC but also we discuss the steps business’s should be taking to ensure they have a strong security posture, especially where customer data is concerned.
The message from British Airways
British Airways has notified customers via it’s website and via news agencies (we believe affected customers have also been notified). The following URL goes to the page BA has set up to provide customers information.
British Airways has made statements (as reported by the BBC) as follows:
“We are 100% committed to compensate them, period,” Mr Cruz told the BBC’s Today programme.”
“We are committed to working with any customer who may have been financially affected by this attack, and we will compensate them for any financial hardship that they may have suffered.”
“We’re extremely sorry. I know that it is causing concern to some of our customers, particularly those customers that made transactions over BA.com and app.”
It’s clear that BA are taking the response seriously, but you have to wonder how attackers have managed to get credit card data…(as reported on the BBC) Prof Alan Woodward at the University of Surrey has hypothesised, the attackers likely intercepted the card details by implanting malicious code to read card details as they were provided from customers. Other attack vectors may include a payment provider supply chain attack, but this seems unlikely.
Steps to take
If you’re a customer, then clearly, we would advise in line with the guidance from BA/NCSC you should:
- reset your password using a unique pass phrase (ideally use a pass phrase of random words sperated with spaces or use a random string from a password manager – long is strong!)
- Use a password manager
- Review your bank/credit card statements for fraudulent transactions
- Contact your bank
- Check your email addresses on https://haveibeenpwned.com to see if you have been involved in any breaches (past or current, it’s worth subscribing for breach notifications as well!)
In addition to this NCSC has provided guidance at the following site:
if you are a business think about the following:
- Could this happen to your business?
- Are you prepared in case a breach does occur?
- Have you got plans in place?
- Have you reviewed your security controls and practises?
What does this teach us?
Barely a week, maybe even a day goes by without another data breach being announced. Companies both large and small are targets for cyber-attacks. Ensuring your organisation has a good security posture and your customers data is protected is key, regardless of the size of your business.
From a humble website for a small online retailer through to a global enterprise, security has never been higher on the agenda. It’s important to understand your security posture and ensure your business is doing the right thing, not only to limit risk but also to protect the rights of its customers.
Conducting a yearly penetration test simply isn’t enough to protect your brand, reputation and customers. You need to be on top of your cyber defence game and that starts by understanding where you are today both from a strength and weakness perspective.
Don’t let hackers fly away with your data
We are creating a series of blog posts on monitoring critical files, if you would like to see more please take a look at the following posts:
PSTG and Xservus has a range of services from security strategy through to managed services which can help your business prevent, detect and respond to current and emerging cyber threats. If you’re in need of security assistance, please contact one of the team either by phone (0203 907 9500) or emailing [email protected] and we’ll be glad to discuss how our team can help you!