British Airways data breach

On June 22nd 2018, an attacker gained access to British Airways Network by means of compromised credentials from an employee of Swissport, a third party cargo handler.^[1] The compromised account did not have Multi-factor authentication enabled.^[1]

The attacker was initially restricted to a citrix environment, but successfully broke out of the environment by means that BA have not released.^[1] After breaking out of the environment, the attacker was able use escalate their privilege after finding an administrator password stored in plaintext on the server.^[1]

On 26 July 2018, the attacker found plain text files, containing payment card details for BA redemption transactions. The ICO's report highlighted this as follows:

The logging and storing of these card details (including, in most cases, CVV numbers) was not an intended design feature of BA's systems and was not required for any particular business purpose.

It was a testing feature that was only intended to operate when the systems were not live, but which was left activated when the systems went live. BA has explained that this card data was being stored in plaintext (as opposed to in encrypted form) as a result of human error. This error meant that the system had been unnecessarily logging payment card details since December 2015.

The impact of this failure was mitigated to some extent by the fact that the retention period of the logs was 95 days, which meant that

the only accessible card details were those logged within the preceding 95 days. Nevertheless, the details of approximately 108,000 payment cards were potentially available to the Attacker.^[1]

The attacker then registered a then fake domain, baways.com.

A third-party script running on the British Airways website called Modernizer was breached by the attacker. They then modified the code this script served. Upon payment confirmation, the code captured the user's payment and personal details. It then silently sent this data to baways.com, with a 500ms delay to prevent the user from suspecting anything. The payment process appeared completely normal.

On 5th of September a third party informed BA of the malicious code acting on their website. Within 90 minutes it was removed. On the 6th of September BA informed the ICO, and 500,000 affected customers^[1].

British Airways said the attack affected bookings from 21 August 2018 to 5 September 2018 with credit card details of around 380,000 total customers being compromised.^[2] The attackers obtained names, street addresses, email addresses, credit card numbers, expiration dates and card security codes – enough to allow thieves to steal from accounts.^[2] 77,000 customers had their name, address, email address and detailed payment information taken, while 108,000 people had personal details compromised which did not include CVV numbers.^[3]

Of the 500,000 victims of the breech, 250,000 had their names, addresses, card numbers, and CVV numbers taken. The remainder of the victims lost less personal information.^[1]

British Airways urged customers to contact their banks or credit card issuer and to follow their advice.^[2] NatWest said that it received more calls than usual because of the breach.^[2] American Express said that customers would not need to take any action and that they would alert customers with unusual activity on their cards.^[2]

The fine was first announced to be 1.5% of the airline's 2017 turnover, amounting to £183.39 million.

After negotiations and the financial strain of the COVID-19 pandemic, In October 2020, British Airways was fined £20 million by the Information Commissioner's Office.^[4]

On October 4th 2019, a group of 6000 impacted customers got the green light to sue British Airways collectively. Additionally, the law firm PGMBM represented over 16,000 victims and reached a confidential out-of-court settlement.^[5] Details of the settlement were not disclosed.

• EasyJet data breach