Slashdot Mirror

← Back to Stories (view on slashdot.org)

380,000 Card Payments Compromised In British Airways Breach (sky.com)

Posted by BeauHD on from the sorry-not-sorry dept.

Earlier today, British Airways said credit card information of at least 380,000 customers have been "compromised" in a data breach that occurred between August 21 and September 5. The information stolen includes customer names, email addresses, home addresses and payment card information -- but not travel or passport details. Sky News reports: In an email to affected customers, BA said: "We're deeply sorry, but you may have been affected. We recommend that you contact your bank or credit card provider and follow their recommended advice. We take the protection of your personal information very seriously. Please accept our deepest apologies for the worry and inconvenience that this criminal activity has caused." The breach has been "resolved" and the website is "working normally," it said. In a statement, the airline added: "We have notified the police and relevant authorities... [and] will continue to keep our customers updated with the very latest information. We will be contacting customers and will manage any claims on an individual basis."

50 comments

  1. when not if by johnsnails · · Score: 1

    when not if

    1. Re: when not if by Anonymous Coward · · Score: 0

      Civil remedies needed.

    2. Re: when not if by Anonymous Coward · · Score: 0

      Pee in my butt you sissy faggot!!

    3. Re: when not if by Anonymous Coward · · Score: 0

      I just want to gurgle the juice afterwards thanks.

    4. Re: when not if by Anonymous Coward · · Score: 0

      You can have some fresh squeezed santorum as well. Frothy with plenty of head.

    5. Re: when not if by Anonymous Coward · · Score: 0

      Yes, very few of these hackers are ever brought to face justice. The police in most countries are helpless and not helpful: "it happened online, we don't know, the 19th century is where we are comfortable." Interpol? Another UN resolution? Some binding international agreement where countries that don't sign are cut off online - phones, flights, internet, resources, import & export. Sealed off.

    6. Re: when not if by Anonymous Coward · · Score: 0

      All those updates privacy statements and little popups that's say "can we use cookies to track you," must be working really well. Choose your fucking battles morons.

  2. And that should be really expensive for them by gweihir · · Score: 4, Insightful

    Say, $100 per customer, payable to the customer for their hassle. But likely this will not cost them a thing. So it will happen again and again and again.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    1. Re: And that should be really expensive for them by Anonymous Coward · · Score: 0

      British cards are unhackable and fraud proof. No reason for anyone to worry.

    2. Re:And that should be really expensive for them by Anonymous Coward · · Score: 0

      why is this data even online? ya sure, you need to accept the information in order to process the transaction.. but then once you have it, get it OFF THE FUCKING INTERNET, it doesn't need to be there.. especially not the damn credit card details.

    3. Re:And that should be really expensive for them by Anonymous Coward · · Score: 3, Informative

      But likely this will not cost them a thing.

      That is far from reality, to process, transmit and store card data, a merchant is contractually required by its acquiring banks to comply with the PCI DSS (Payment Card Industry Data Security Standards), this is a self-regulatory scheme created and ruled by major card brands. When such an incident happens usually it hurts companies pretty bad because the following things happen:

      - You need to engage with a PCI forensic company (PFI) that has been approved by VISA/MC, and you have 5 days to do that. We're talking about probably 20-30 companies worldwide and they know this is not really an option for you and that you must move on quickly, so they won't hesitate to charge you 300-500 USD per hour. They assess the extent of the breach, the number of accounts compromised and whether or not this was because you were not complying with the PCI requirements.

      - If it turns out to be the case, you will have to pay non-compliance fines. This ranges between 10,000 and 100,000USD, but this is usually the least of your worries. (These fines are imposed by card brands to acquiring banks and then passed onto the merchant)

      - Merchants are then liable for the costs issuing banks incured to remediate the breach. The big part of these costs are about re-issuing cards and recovering fraudulent charges made on compromised cards. This depends on the volume of the breach, the average cost is somewhere between 3 and 4 million USD but when this happens to large merchants, we're more talking about tens of millions. (the range is quite large but we're talking about 30-100USD/card)

      - Merchants are responsible to notify each impacted customer individually

      - Before being able to process payments again, you will have to demonstrate to your acquiring banks that you are now compliant and able to prevent future security breaches. This means getting your (or external) security experts fully focused on that

      - Reputational damage is to be considered, the loss of customer confidence will most likely have an impact the sales

    4. Re:And that should be really expensive for them by hcs_$reboot · · Score: 1

      Or, at least, keep it encrypted.

      --
      Slashdot, fix the reply notifications... You won't get away with it...
    5. Re:And that should be really expensive for them by Anonymous Coward · · Score: 0

      Encrypted doesn't matter if the password can be guessed easily.... So it's the same problem as being able to login to see the data.

    6. Re:And that should be really expensive for them by Joce640k · · Score: 2

      Sure, you rack up a couple of million in penalties... ...then you divide that number by 380,000 and it only cost you $6 per customer.

      No biggie.

      --
      No sig today...
    7. Re:And that should be really expensive for them by Simon+Rowe · · Score: 1

      Not hard enough, £/$1,000 per account leaked plus one C-level exec packs a bag for some jail time. Until someone's ass is on the line this sort of incompetence will continue. And yes, my details were included in the breach, w@nkers.

    8. Re:And that should be really expensive for them by mjwx · · Score: 1

      Ordinarily yes, but you're clearly not familiar with BA, who are worse than Ryanair in regards to weaselling out of their financial obligations. When they clearly owe you compensation (either due to European statutes or financial cost incurred by you due to their failure) then you are told to go to your travel insurer, if you refuse you're given the run around until you give up or manage to get to an authority that has power over BA. They are worse than American airlines (as in airlines operating out of the US, not American Airlines specifically).

      BA/Iberia (they're the same company) are really the second worse airlines you can fly (only QANTAS are worse).

      I'm 4 months into a lost baggage claim with Iberia... They're still hoping I'm going to give up. If anyone can avoid their financial obligations, it's BA.

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
    9. Re:And that should be really expensive for them by ole_timer · · Score: 1

      as long as the cost of this does not exceed shrinkage (or whatever they call waste, fraud and abuse in the airlines, etc.) it will keep happening

      --
      nothing to see here - move along
  3. For 380,000 ... by CaptainDork · · Score: 1

    ... years, the universe was in an expanding opaque plasma state so dense that photons could not travel very far.

    Coincidence?

    Yes, I'm sure of it.

    --
    It little behooves the best of us to comment on the rest of us.
    1. Re:For 380,000 ... by Anonymous Coward · · Score: 0

      Wow, Chris, you're so funny and random! You must be smart too! Gosh!

    2. Re:For 380,000 ... by CaptainDork · · Score: 1

      I don't like it when people call me smart.

      I makes the assumption that I am better than they.

      I'm not.

      The word you're looking for is "experienced."

      Experience + exposure = expertise. ~ © 2018 CaptainDork

      --
      It little behooves the best of us to comment on the rest of us.
    3. Re:For 380,000 ... by Anonymous Coward · · Score: 0

      Get my family friendly Goat C shirt! ~ CaptainSmork

  4. Another one? by Anonymous Coward · · Score: 0

    Breaches seem commonplace now. This is why I decided to sign up for Privacy virtual debit cards to use online (and use chip/NFC in store). It lets you use a different card number with every site, and even has single use burner card numbers and spending limits. If you use lots of burner cards and set strict spending limits on merchant cards you have little risk of getting wiped out due to a data breach. Wonderful.

    Shameless referral links: https://privacy.com/join/JWVHW

  5. Unintended meanings by Anonymous Coward · · Score: 0

    We're deeply sorry, but you may have been affected. We recommend that you contact your bank or credit card provider and follow their recommended advice. We take the protection of your personal information very seriously. Please accept our deepest apologies for the worry and inconvenience that this criminal activity has caused.

    Am I the only one that initially read that as the airline admitting their lack of securing data they store was criminal activity on the airlines part?

    "Hello neighbor, the delivery guy said you weren't home and left some expensive looking things of yours with me. I just left them all sitting on the front lawn, but they seem to be gone now. I guess those darn thieves will be thieves. Totally not my fault, but I'm deeply sorry they took your stuff!"

    1. Re:Unintended meanings by amalcolm · · Score: 1

      Email. What freaking e-mail? I am directly affected by this, I bought tickets a month ago and am currently on holiday. Just cancelled my card, not a word from BA

      --
      Time for bed, said Zebedee - boing
    2. Re:Unintended meanings by jeremyp · · Score: 1

      Has it occurred to you that you weren't one of the affected customers?

      --
      All I want is a secure system where it's easy to do anything I want. Is that too much to ask ~~ Randall Munroe
    3. Re:Unintended meanings by amalcolm · · Score: 1

      If course, but now am I supposed to know? Wait for someone to raid my card up to the credit limit?

      --
      Time for bed, said Zebedee - boing
    4. Re:Unintended meanings by tendrousbeastie · · Score: 1

      The affected people are those who bought tickets between August 21st and September 5th. That you haven't received an email reflects that fact that you bought your tickets around three weeks before the affected time period.

      I too bought BA tickets at the beginning of August, and I likewise have not received any communication from BA about this issue. This does ot surprise me.

  6. What else is new. by Hallux-F-Sinister · · Score: 1

    -Sigh-.

    This is why we can’t have nice things.

    --
    Our reign has gone on long enough. Indeed. Summon the meteors.
  7. On the bright side by Anonymous Coward · · Score: 0

    99.9% of those affected by this breach were already compromised in one of the other dozens of breaches from this year alone.

  8. Not enough by hcs_$reboot · · Score: 2

    "We take the protection of your personal information very seriously" Almost insulting to put that in the email sent to affected clients.

    --
    Slashdot, fix the reply notifications... You won't get away with it...
    1. Re:Not enough by coofercat · · Score: 1

      I'm glad I saw the email here, because we sure didn't get one in our inbox. We had a card suddenly show some weird $1 transactions in the US while we're in the UK, and we booked a flight during the 'window' of the attack. No emails from BA though.

      BA have two speeds of IT. On the one hand, they have some excellent ideas and design - ba.com went from being a waste of space to being the best airline booking system anywhere (at the time, others have caught up now). They've got some really good build quality on some of the walls, windows and roofs of their building. They seem to have outsourced all the foundations and utilities to Bodge it and Leggit though, so occasionally bits of the walls collapse, and turning on a light switch sometimes turns on a light, sometimes the bulb explodes, and sometimes nothing at all happens.

      I'm waiting to see how GDPR plays out on this one. the ICO has to "been seen" to do something here, so it remains to be seen exactly what they do.

  9. GPDR could bite hard by Bruce66423 · · Score: 2

    Given the new EU regulations since May, there's a very good chance that BA will be fined a very respectable amount - in the tens if not hundreds of millions of pounds. Certainly it's a good opportunity for us to see if such fines will be used to frighten companies into doing better. OTOH we have to accept that everyone gets burgled occasionally...

    1. Re:GPDR could bite hard by Anonymous Coward · · Score: 1

      BA have no business holding the card details in a hackable web accessible location, they should just hold an identifier that they use to reference a payment provider service. They should use a third party payment provider service or they should implement one internally and use that, the payment provider service should be within an ultra secure area and have a very restricted minimal interface to the rest of the company,

    2. Re:GPDR could bite hard by alex67500 · · Score: 1

      I have a feeling a lot of companies will be watching this one closely. IIRC the regulation states anywhere between 20m EUR and 4% of revenues, which would be just under half a billion euros on 2016 figures. (And almost 1bn dollars if directed at parent company IAG).

    3. Re:GPDR could bite hard by alex67500 · · Score: 1

      From the reports I've been reading this morning, the data was stolen at transaction time, so most likely some kind of MITM attack or code injection on the payment page.

      Also, it seems that cards saved on the website might be alright, which points to the fact that saved cards are "tokenized" in some way, and not sent across the network in that case. Which would actually good practice in this particular case...

    4. Re:GPDR could bite hard by Anonymous Coward · · Score: 0

      Thats called layering.
      Payment provider services are leeches and usually sub sub outsourced anyway. BA is in financal trouble IF pensions are going to be paid going forward. My bet is they did payments themselves - 2% tax free is a big deal., probably a cloud setup to re-send, and obviously untested by experienced people, and ripped off during the transaction phase - because if they were stored they will be struck off. So some server compromised.- the weakest link as it were. Sue the design and Intergration team - they should be insured.
      Knowing BA, the contact was from some 2 quid shell company. Fine, the new EU rules SHOULD hit the web side booking operation, that should be another 2 quid company - or Delaware LLC in USA terminology.Otherwise BA will pay dearly.

    5. Re:GPDR could bite hard by houghi · · Score: 1

      That is not how GPRS works at all. What differs is that.
      1) They need to have reasonable protection in place.
      2) They need to inform people and instances where hacked.
      3) They need to have a person responsible

      Just because they where hacked, does not mean they need to pay. That would be very stupid as this will happen. It will depend on each individual situation.
       

      --
      Don't fight for your country, if your country does not fight for you.
  10. It will be interesting to see what does come out by Bruce66423 · · Score: 1

    As to why this happened and what went wrong. Certainly there will be no excuse for lack of resources in the IT department; OTOH a configuration error is always possible.

  11. Man in the middle attack? by Bruce66423 · · Score: 1

    It's not clear yet, but given it was "transactions" that were reported as abused, such an attack would make sense.

  12. The curse of Outsourcing by Anonymous Coward · · Score: 0

    This is not the first time BA has fucked up their own IT department.

    In July, tens of thousands of travelers were stuck in Heathrow airport due to 'failure' of their computer system.

    Both the July incident and this one can be traced down to OUTSOURCING.

    British Airways management has OUTSOURCED their IT operation to INDIA, employing hundreds (or even thousands) of Indians, while firing almost *ALL* their European IT staffs.

    Thanks, BA, because I will never fly an airline which doesn't care about its loyal customers and their own employees, of their home country.

    1. Re:The curse of Outsourcing by Bert64 · · Score: 2

      Thanks, BA, because I will never fly an airline which doesn't care about its loyal customers and their own employees, of their home country.

      Sounds like you'll never be flying then...

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  13. digital branding agency by Anonymous Coward · · Score: 0

    This article is more informative best article i have seen
    Its help you for further details click the link below

    In new york digital branding agency IOITSOL is one of the best new york digital branding agency.In new york digital
    branding agency IOITSOL Provide best work in new york.New york digital branding agency or company encompasses many
    different skills and disciplines in the production and maintenance of the new york digital branding agency.The different
    areas of application include UI design; interface design user experience design.Today in new york digital branding agency
    IOITSOl is the best agency.IOITSOL is also the Most creative new york digital branding agency in the past recent years.

    https://www.ioitsol.com/

  14. Re:It will be interesting to see what does come ou by Anonymous Coward · · Score: 0

    No expense was spared, except on decent IT staff.

  15. Going downhill by joncombe · · Score: 1

    Unfortunately, since Alex Cruz took over the helm, British Airways have become a budget airline in every respect apart from the price. Checked bags no longer included. No food or drink included. Pay extra to select seats. Coupled with (in my experience) very frequent shcedule changes after booking and poor customer service. Coupled to that frequent IT problems, and some industrial relation issues. I only use them when no other airlines fly the route. The only thing that isn't like a budget airline is the price.

  16. How to tell when a corporation is lying by Anonymous Coward · · Score: 0

    "We take the protection of your personal information very seriously." EVERY TIME.

  17. Thanks by Bruce66423 · · Score: 1

    Good point. The interesting question will be the issue of 'reasonable protection' - and the court cases to determine that are still in the future. Let's hope that it's a reasonably high standard set so there is a good incentive to big companies to get it RIGHT!