British Airways hack is worse than originally thought

An additional 185,000 customer payment cards were compromised.

British Airways hack is worse than originally thought

Last month, British Airways announced that the customer data and details of some 380,000 card payments had been stolen from its network by hackers between August 21 and September 5 2018.

Now, in an update posted on its website, British Airways says it has discovered that more of its customers have been affected - with potentially impacted individuals being those who made reward bookings between April 21 and July 28, 2018, and who used a payment card.

Since our announcement on September 6, 2018 regarding the theft of our customers’ data, British Airways has been working continuously with specialist cyber forensic investigators and the National Crime Agency to investigate fully the data theft. We are updating customers today with further information as we conclude our internal investigation.”

The investigation has shown the hackers may have stolen additional personal data and we are notifying the holders of 77,000 payment cards, not previously notified, that the name, billing address, email address, card payment information, including card number, expiry date and CVV have potentially been compromised, and a further 108,000 without CVV.”

The numbers are here are a little confusing, so let me try to clarify things:

British Airways initially said 380,000 payment card details were accessed by hackers in late August/early September. They now say they are able to reduce that figure to 244,000. That’s obviously an improvement.

However, the airline’s investigation has also uncovered that hackers were stealing information earlier in the year, with details of an additional 77,000+108,000 payment cards.

In total, I make that 429,000 payment card details that may have been stolen - and an additional 185,000 customers who need to be notified.

Like Cathay Pacific, which announced a much larger data breach this week, British Airways is keen to underline that it has seen no evidence that stolen information has been exploited by criminals.

This is a reassuring paragraph that hacked companies often emphasise in their communications to concerned customers, but you should be cautious about feeling too reassured.

An absence of evidence is not evidence of absence – if some of the stolen data has been misused by fraudsters and spammers, it wouldn’t necessarily have been linked back to this breach.

Put simply, there’s no reason to believe that British Airways would have any visibility on whether data being misused by criminals - so we shouldn’t be surprised to hear that they’ve seen no verified cases of fraud as a result of the hack.

At the time of the original British Airways breach announcement in September we discussed the case on this episode of the “Smashing Security” podcast. Give it a listen:

Smashing Security #95: ‘British Airways hack, Mac apps steal browser history, and one person has 285,000 texts leaked’

Listen on Apple Podcasts | Google Podcasts | RSS for you nerds.

Tags: ,

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts

,

No comments yet.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.