380,000 Card Payments Compromised In British Airways Breach (sky.com)

← Back to Stories (view on slashdot.org)

380,000 Card Payments Compromised In British Airways Breach (sky.com)

Posted by BeauHD on Thursday September 6, 2018 @02:50PM from the sorry-not-sorry dept.

Earlier today, British Airways said credit card information of at least 380,000 customers have been "compromised" in a data breach that occurred between August 21 and September 5. The information stolen includes customer names, email addresses, home addresses and payment card information -- but not travel or passport details. Sky News reports: In an email to affected customers, BA said: "We're deeply sorry, but you may have been affected. We recommend that you contact your bank or credit card provider and follow their recommended advice. We take the protection of your personal information very seriously. Please accept our deepest apologies for the worry and inconvenience that this criminal activity has caused." The breach has been "resolved" and the website is "working normally," it said. In a statement, the airline added: "We have notified the police and relevant authorities... [and] will continue to keep our customers updated with the very latest information. We will be contacting customers and will manage any claims on an individual basis."

27 of 50 comments (clear)

Min score:

Reason:

Sort:

when not if by johnsnails · 2018-09-06 14:55 · Score: 1

when not if
And that should be really expensive for them by gweihir · 2018-09-06 15:03 · Score: 4, Insightful

Say, $100 per customer, payable to the customer for their hassle. But likely this will not cost them a thing. So it will happen again and again and again.

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
1. Re:And that should be really expensive for them by Anonymous Coward · 2018-09-06 18:21 · Score: 3, Informative
  
  But likely this will not cost them a thing.
  That is far from reality, to process, transmit and store card data, a merchant is contractually required by its acquiring banks to comply with the PCI DSS (Payment Card Industry Data Security Standards), this is a self-regulatory scheme created and ruled by major card brands. When such an incident happens usually it hurts companies pretty bad because the following things happen:
  - You need to engage with a PCI forensic company (PFI) that has been approved by VISA/MC, and you have 5 days to do that. We're talking about probably 20-30 companies worldwide and they know this is not really an option for you and that you must move on quickly, so they won't hesitate to charge you 300-500 USD per hour. They assess the extent of the breach, the number of accounts compromised and whether or not this was because you were not complying with the PCI requirements.
  - If it turns out to be the case, you will have to pay non-compliance fines. This ranges between 10,000 and 100,000USD, but this is usually the least of your worries. (These fines are imposed by card brands to acquiring banks and then passed onto the merchant)
  - Merchants are then liable for the costs issuing banks incured to remediate the breach. The big part of these costs are about re-issuing cards and recovering fraudulent charges made on compromised cards. This depends on the volume of the breach, the average cost is somewhere between 3 and 4 million USD but when this happens to large merchants, we're more talking about tens of millions. (the range is quite large but we're talking about 30-100USD/card)
  - Merchants are responsible to notify each impacted customer individually
  - Before being able to process payments again, you will have to demonstrate to your acquiring banks that you are now compliant and able to prevent future security breaches. This means getting your (or external) security experts fully focused on that
  - Reputational damage is to be considered, the loss of customer confidence will most likely have an impact the sales
2. Re:And that should be really expensive for them by hcs_$reboot · 2018-09-06 18:33 · Score: 1
  
  Or, at least, keep it encrypted.
  
  --
  Slashdot, fix the reply notifications... You won't get away with it...
3. Re:And that should be really expensive for them by Joce640k · 2018-09-06 20:48 · Score: 2
  
  Sure, you rack up a couple of million in penalties... ...then you divide that number by 380,000 and it only cost you $6 per customer.
  No biggie.
  
  --
  No sig today...
4. Re:And that should be really expensive for them by Simon+Rowe · 2018-09-06 23:59 · Score: 1
  
  Not hard enough, £/$1,000 per account leaked plus one C-level exec packs a bag for some jail time. Until someone's ass is on the line this sort of incompetence will continue. And yes, my details were included in the breach, w@nkers.
5. Re:And that should be really expensive for them by mjwx · 2018-09-07 01:17 · Score: 1
  
  Ordinarily yes, but you're clearly not familiar with BA, who are worse than Ryanair in regards to weaselling out of their financial obligations. When they clearly owe you compensation (either due to European statutes or financial cost incurred by you due to their failure) then you are told to go to your travel insurer, if you refuse you're given the run around until you give up or manage to get to an authority that has power over BA. They are worse than American airlines (as in airlines operating out of the US, not American Airlines specifically).
  
  BA/Iberia (they're the same company) are really the second worse airlines you can fly (only QANTAS are worse).
  
  I'm 4 months into a lost baggage claim with Iberia... They're still hoping I'm going to give up. If anyone can avoid their financial obligations, it's BA.
  
  --
  Calling someone a "hater" only means you can not rationally rebut their argument.
6. Re:And that should be really expensive for them by ole_timer · 2018-09-07 09:39 · Score: 1
  
  as long as the cost of this does not exceed shrinkage (or whatever they call waste, fraud and abuse in the airlines, etc.) it will keep happening
  
  --
  nothing to see here - move along
For 380,000 ... by CaptainDork · 2018-09-06 15:07 · Score: 1

... years, the universe was in an expanding opaque plasma state so dense that photons could not travel very far.
Coincidence?
Yes, I'm sure of it.

--
It little behooves the best of us to comment on the rest of us.
1. Re:For 380,000 ... by CaptainDork · 2018-09-07 01:34 · Score: 1
  
  I don't like it when people call me smart.
  I makes the assumption that I am better than they.
  I'm not.
  The word you're looking for is "experienced."
  
  Experience + exposure = expertise. ~ © 2018 CaptainDork
  
  --
  It little behooves the best of us to comment on the rest of us.
What else is new. by Hallux-F-Sinister · 2018-09-06 16:20 · Score: 1

-Sigh-.
This is why we can’t have nice things.

--
Our reign has gone on long enough. Indeed. Summon the meteors.
Not enough by hcs_$reboot · 2018-09-06 17:35 · Score: 2

"We take the protection of your personal information very seriously" Almost insulting to put that in the email sent to affected clients.

--
Slashdot, fix the reply notifications... You won't get away with it...
1. Re:Not enough by coofercat · 2018-09-07 01:22 · Score: 1
  
  I'm glad I saw the email here, because we sure didn't get one in our inbox. We had a card suddenly show some weird $1 transactions in the US while we're in the UK, and we booked a flight during the 'window' of the attack. No emails from BA though.
  BA have two speeds of IT. On the one hand, they have some excellent ideas and design - ba.com went from being a waste of space to being the best airline booking system anywhere (at the time, others have caught up now). They've got some really good build quality on some of the walls, windows and roofs of their building. They seem to have outsourced all the foundations and utilities to Bodge it and Leggit though, so occasionally bits of the walls collapse, and turning on a light switch sometimes turns on a light, sometimes the bulb explodes, and sometimes nothing at all happens.
  I'm waiting to see how GDPR plays out on this one. the ICO has to "been seen" to do something here, so it remains to be seen exactly what they do.
Re:Unintended meanings by amalcolm · 2018-09-06 19:09 · Score: 1

Email. What freaking e-mail? I am directly affected by this, I bought tickets a month ago and am currently on holiday. Just cancelled my card, not a word from BA

--
Time for bed, said Zebedee - boing
GPDR could bite hard by Bruce66423 · 2018-09-06 19:33 · Score: 2

Given the new EU regulations since May, there's a very good chance that BA will be fined a very respectable amount - in the tens if not hundreds of millions of pounds. Certainly it's a good opportunity for us to see if such fines will be used to frighten companies into doing better. OTOH we have to accept that everyone gets burgled occasionally...
1. Re:GPDR could bite hard by Anonymous Coward · 2018-09-06 21:23 · Score: 1
  
  BA have no business holding the card details in a hackable web accessible location, they should just hold an identifier that they use to reference a payment provider service. They should use a third party payment provider service or they should implement one internally and use that, the payment provider service should be within an ultra secure area and have a very restricted minimal interface to the rest of the company,
2. Re:GPDR could bite hard by alex67500 · 2018-09-07 00:35 · Score: 1
  
  I have a feeling a lot of companies will be watching this one closely. IIRC the regulation states anywhere between 20m EUR and 4% of revenues, which would be just under half a billion euros on 2016 figures. (And almost 1bn dollars if directed at parent company IAG).
3. Re:GPDR could bite hard by alex67500 · 2018-09-07 00:39 · Score: 1
  
  From the reports I've been reading this morning, the data was stolen at transaction time, so most likely some kind of MITM attack or code injection on the payment page.
  Also, it seems that cards saved on the website might be alright, which points to the fact that saved cards are "tokenized" in some way, and not sent across the network in that case. Which would actually good practice in this particular case...
4. Re:GPDR could bite hard by houghi · 2018-09-07 02:27 · Score: 1
  
  That is not how GPRS works at all. What differs is that.
  1) They need to have reasonable protection in place.
  2) They need to inform people and instances where hacked.
  3) They need to have a person responsible
  Just because they where hacked, does not mean they need to pay. That would be very stupid as this will happen. It will depend on each individual situation.
  
  --
  Don't fight for your country, if your country does not fight for you.
It will be interesting to see what does come out by Bruce66423 · 2018-09-06 19:36 · Score: 1

As to why this happened and what went wrong. Certainly there will be no excuse for lack of resources in the IT department; OTOH a configuration error is always possible.
Man in the middle attack? by Bruce66423 · 2018-09-06 19:53 · Score: 1

It's not clear yet, but given it was "transactions" that were reported as abused, such an attack would make sense.
Re:Unintended meanings by jeremyp · 2018-09-06 22:53 · Score: 1

Has it occurred to you that you weren't one of the affected customers?

--
All I want is a secure system where it's easy to do anything I want. Is that too much to ask ~~ Randall Munroe
Re:The curse of Outsourcing by Bert64 · 2018-09-06 23:54 · Score: 2

Thanks, BA, because I will never fly an airline which doesn't care about its loyal customers and their own employees, of their home country.
Sounds like you'll never be flying then...

--
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Going downhill by joncombe · 2018-09-07 01:17 · Score: 1

Unfortunately, since Alex Cruz took over the helm, British Airways have become a budget airline in every respect apart from the price. Checked bags no longer included. No food or drink included. Pay extra to select seats. Coupled with (in my experience) very frequent shcedule changes after booking and poor customer service. Coupled to that frequent IT problems, and some industrial relation issues. I only use them when no other airlines fly the route. The only thing that isn't like a budget airline is the price.
Thanks by Bruce66423 · 2018-09-07 05:03 · Score: 1

Good point. The interesting question will be the issue of 'reasonable protection' - and the court cases to determine that are still in the future. Let's hope that it's a reasonably high standard set so there is a good incentive to big companies to get it RIGHT!
Re:Unintended meanings by amalcolm · 2018-09-07 06:23 · Score: 1

If course, but now am I supposed to know? Wait for someone to raid my card up to the credit limit?

--
Time for bed, said Zebedee - boing
Re:Unintended meanings by tendrousbeastie · 2018-09-07 07:37 · Score: 1

The affected people are those who bought tickets between August 21st and September 5th. That you haven't received an email reflects that fact that you bought your tickets around three weeks before the affected time period.
I too bought BA tickets at the beginning of August, and I likewise have not received any communication from BA about this issue. This does ot surprise me.