back to article 'World's favorite airline' favorite among hackers: British Airways site, app hacked for two weeks

British Airways on Thursday said it is investigating the theft of customer data from its website and mobile app servers. The biz, which bills itself as the world's favorite airline, said its systems had been compromised for more than two weeks. "From 22:58 BST August 21 2018 until 21:45 BST September 5 2018 inclusive, the …

  1. Kevin Fairhurst

    "We are deeply sorry for the disruption that this criminal activity has caused."

    It's criminal that they allowed a breach of this scale to 1) happen, 2) continue happening for two weeks!

    1. Anonymous Coward
      Anonymous Coward

      I wonder if VISA and Mastercard will fine them...could have fund a redundant hardware system for them.

      Not sure I'd want to be that PCI:DSS external auditor.

      It would also be interesting to see what system changes had taken place since the last QSA auditor's visit and certification.

      1. AliveAndKicking

        PCI is a joke

        Anyone can tell the auditor pretty much anything they want, they fail to spot even the most basic of issues.

        PCI audit is a gravy train. People need 2 days training to become an auditor, regardless of industry experience or domain knowledge.

        1. oxfordmale78

          Re: PCI is a joke

          The PCI audit tends to be focused on documentation, not on reality. As long as the documentation is in order, it doesn't matter if credit card details are stored unencrypted on a publicly accessible server.

          1. Anonymous Coward
            Anonymous Coward

            Re: PCI is a joke

            My old firm was doing this sort of statutory audit more than 20 years ago elsewhere in the EU, and it included checking that what the documentation said was actually being carried out.

            It sounds as though the old saying about UK auditors "auditing around the accounts" has been transferred over to IT.

      2. julian_n

        More's the point will the ICO now find some teeth under GDPR.

        With a turnover of approx €23bn, 4% is somewhat over €900M. That would kill any off-shoring savings for a year or two!

      3. Anonymous Coward
        Anonymous Coward

        Me again, Mr AC, latest news is they FAILED their Dec 2017 PCI:DSS audit.

        Perhaps ElReg can find out why through an AC with knowledge...

    2. macjules Silver badge
      Black Helicopters

      Ever so slightly annoyed. I received a notice from John Lewis last week that someone had tried to use my card to buy "tyres", so cancelled it and had it replaced. Now I just got a notice from BA that the replacement card I used to buy a flight might be 'compromised", so that has just been cancelled as well.

      I feel like going back to paying in cash for everything.

      1. seven of five

        > I feel like going back to paying in cash for everything.

        Noooo! Only criminals insist on cash, don´t you remember?

        edit: upon rereading, this makes me look like one of the tinfoil brigade. Which I thought I ain´t. Maybe sarcasm is officially dead, choked on its own vomit.

        Oh, well.

      2. Neil Spellings

        Get a Revelut account..they offer one-time-use disposable credit card numbers.

        1. Warm Braw Silver badge

          Revolut

          On the other hand, they don't (currenty) have a banking licence or FSCS protection.

          Useful article on protection and customer services issues with e-money firms here.

      3. Nano nano

        Back of the drawer ...

        Or send a cheque ...

      4. Anonymous Coward
        Anonymous Coward

        Now I just got a notice from BA that the replacement card I used to buy a flight might be 'compromised", so that has just been cancelled as well...I feel like going back to paying in cash for everything.

        Well, at least make sure that you boycott the business that you entrusted with your data, and write to the CEO pointing out that whatever "we take your data security seriously" statement they've made is an abject lie, that their organisation is incompetent, and highlighting examples of how their ineptitude is going to cost them money.

        I'd also recommend that you copy in somebody like the senior non-exec director, or the CEO of any parent company, because that dramatically enhances the chance that the CEO will have to read it, whereas most CEO complaints are read only by the PA who then writes a polite but insincere apology in the CEO's name. So if you want to do that, you'd write the complaint to Alex Cruz, and copy in Willie Walsh, CEO of IAG. Walsh's PA probably won't pass the complaint to him, that doesn't matter - Cruz has to cope with not just a Mr Angry letter, but he has to accept that there are measureable costs for each record lost. If nothing else, it occupies somebody's time and that costs them money.

        1. Gordon 10 Silver badge
          Thumb Up

          Good Advice

          Great advice - one caveat

          I wouldn't necessarily choose Willie - he's just the CEO's Boss. (i.e. another busy CEO)

          BA Board members can be found here.

          https://www.bloomberg.com/research/stocks/private/board.asp?privcapId=256565

          IAG Board Members here

          http://www.iagshares.com/phoenix.zhtml?c=240949&p=irol-govboard2

      5. Bruce Ordway

        back to paying in cash for everything

        >> back to paying in cash for everything

        And if vendors can easily offer pricing without credit card fees baked into them?

        My local gas station maintains a "cash only" pump which was cheaper but... the owner once explained to me it was complicated by credit card companies. According to him, prices are inflated due to credit card companies and there are restrictions to offering "discounts" for cash/alternate methods of pay... at least here in the US.

  2. Neil Spellings

    First large scale test of GDPR legislation perhaps?

    1. robidy

      Didn't that go to TSB?

      1. Doctor Syntax Silver badge

        "Didn't that go to TSB?"

        Good question. Their initial problem happened well before GDPR became effective. Were there any intrusions after that date? Simply providing an inadequate service without a leakage of customer PII isn't going to fail GDPR so were there any ongoing leakages subsequently?

    2. JimboSmith Silver badge

      First large scale test of GDPR legislation perhaps?

      I was thinking the very same thing and yes more than likely it will be. Could be a very big fine for BA or IAG. Someone just messaged me to say that they hope it was a script kiddie who hasn't been able to do anything with the data. I replied that I found that prospect more worrying i.e. the largest airline in the UK being able to be successfully attacked by a script kiddie.

      1. Neil Spellings

        Re: First large scale test of GDPR legislation perhaps?

        Of course I fully expect the end result to be no fine and GDPR shown to be a damp squid. IAG will argue it took "reasonable steps" to protect customers data blah blah and will walk away with a slapped wrist and offering free credit file monitoring for affected customers.

        1. Dr Who

          Re: First large scale test of GDPR legislation perhaps?

          Data protection and information security are two slightly different things.

          A good lawyer will show that BA only stored data it needed for the purposes of transacting its business with the customer and further that BA took reasonable steps to control access to and protect that data. The lawyer will show that this was a particularly skilled compromise of BA's information security measures, but not a breach of its obligations under GDPR.

          1. Anonymous Coward
            Anonymous Coward

            Re: First large scale test of GDPR legislation perhaps?

            That is not corrct.

            A data breach is a breach of GDPR, period. It is then down to the ICO to determine the size of fine taking many factors in to consideration.

            BA can be fined for this. The real question is whether the ICO has the guts. That remains to be seen.

        2. Anonymous Coward
          Anonymous Coward

          Re: First large scale test of GDPR legislation perhaps?

          GDPR shown to be a damp squid.

          Squib, not squid.

          All squid are damp, but only damp squibs are a failure, which is what the phrase means.

        3. Mr Dogshit
          Headmaster

          Re: a damp squid

          squib

          1. Anonymous Coward
            Anonymous Coward

            Re: a damp squid

            @Mr Dogshit

            Well done... now read the comment above yours.

          2. chronicdashedgehog

            Re: a damp squid

            Upvoted just for your username

  3. Anonymous Coward
    Anonymous Coward

    Sounds like a very bad hack.

    Zero mention of the word encrypted so clearly the information was stolen as it was inputted. This can only therefore be rogue code in BA's website, or a compromised third party hosted JavaScript library.

    Given the stolen information was only personal and payment information it sounds like a compromised third party script used during the booking process and nowhere else.

    Otherwise if you had access to add rogue code to the website, why would you stop at personal information and not travel or passport details.

    We've seen third-party hosted library attacks a few times recently, and it is one of the reasons I dislike relying on third-party hosted content.

    1. Anonymous Coward
      Anonymous Coward

      Third party commented source code is fine, providing you know how to read through it. Though I am assuming a quick read through is quicker than a full rewrite.

      Though things can still be hidden, you can use the source for examples and idea on how to do your own things.

      Using the code out right and not checking it? Asking for trouble.

      1. DaLo

        Not third party code, the AC is talking about third party hosted code which is prevelant across the board.

        There are many benefits to both the user and the site owner but it does provide another avenue(maybe multiple avenues) for potential attacks. If it is not using an Https connection to the third party then that is open to abuse.

    2. Gordon 10 Silver badge

      I tend to agree with you - 2 observations

      1. It was both the App and the Website - so presumably that narrows it down further.

      2. The detailed timing of the window suggest it was associated with either a BA or Thirdparty code release to me, or worse an explicit intrusion that they have already traced. Considering they only shut down the breach on Wed they have gathered a big chunk of forensics in the first 24hrs.

      1. Korev Silver badge

        1. It was both the App and the Website - so presumably that narrows it down further.

        The app tends to dump you onto a website to do a surprising number of things.

        I'm almost pleased that the BA attempts to make themselves into an expensive budget airline persuaded me to use a proper budget airline and avoid this!

    3. julian_n

      Sounds very similar to the One+ hack - I hope that BA are better than One+ at assisting affected customers.

    4. caffeine addict Silver badge

      Bloke on Radio4 this morning sounded like he wanted to go into details of what happened but had been told not to.

      He said that the "very sophisticated" attack got card numbers and CVC codes but that encryption hadn't been broken. He also said that they hadn't spotted it, rather one of their trusted partner security firms (presumably one of those sites that verifies other sites are secure - in which case they suck) which suggests that maybe it was something hiding on a form page.

      I've not checked the app out. Is it anything more than a wrapper for some html pages? If it is, it sounds like someone actually got in to their system and listened in there, which is quite a lot worse.

      Interestingly, Radio4 said (and wasn't contradicted by blokey) that passports numbers had been taken too, but everything since has said otherwise.

      1. Anonymous Coward
        Anonymous Coward

        "Is it anything more than a wrapper for some html pages?"

        It is literally their web page wrapped in an app. It's absolute pants.

      2. uptoeleven

        "'App" isn't really an app...

        As a BA Exec Club member - I get to use their "app" all the time. It's basically a viewer for a bunch of html pages / forms - although (helpfully) not all cookies are shared with your browser so you have to log back in again, or just use their site. Nothing that can't be done more efficiently on the site itself, other than downloading boarding passes.

        As I won't be back in the UK for a couple of weeks I've now had to move all my funds out of the account to which the card was attached, and cancel the card for my business banking which means I'm now relying on backup, personal cards for business expenses and transferring between accounts.

  4. Anonymous Coward
    Anonymous Coward

    We take the protection of our customers’ data very seriously.

    as in "no, really, not kidding, seriously".

    1. Anonymous Coward
      Anonymous Coward

      Re: We take the protection of our customers’ data very seriously.

      Not as in a serious joke then?

    2. macjules Silver badge

      Re: We take the protection of our customers’ data very seriously.

      Yes, It is OUR right to sell our customers' data on to dodgy third-party marketing agencies, not some criminal's right.

    3. Arkyn

      Re: We take the protection of our customers’ data very seriously.

      Always the same old line, I wish they would say something original or at least apologise and not prefix it with this obvious falsehood.

      1. Kabukiwookie

        Re: We take the protection of our customers’ data very seriously.

        We take the protection of our customers’ data very seriously.

        They just leave out the bit ', but not enough to spend any serious money on it, since damage control if something happens is still cheaper for us than actually making sure your data is secure'.

        These things will not change until C-level management is made directly responsible if things like this go wrong.

        Data breach? CTO goes to jail.

        Problem will fix itself within the next 6 months.

        1. el-keef

          Re: We take the protection of our customers’ data very seriously.

          "Data breach? CTO goes to jail."

          No-one in their right mind would take a CTO job if this was the case. So you'd end up with even more clueless idiots in charge, or companies would end up without a CTO at all. Either way I can only see this making things worse.

          Massive fines seems like a more effective way to solve this. But we've yet to see if this will actually happen under GDPR or if the bigger companies will wiggle their way out through loopholes.

          1. Anonymous Coward
            Anonymous Coward

            Re: We take the protection of our customers’ data very seriously.

            Too right!

            A C[I|T]O earns 50% more than the numpty developers, with 1000% of the responsibility and experience required. If you think a C[I|T]O in an organization the size of BA can reasonably be expected to inspect and personally assure what's being delivered by a 1000+ IT workforce then you have clearly never worked anywhere near that level.

            Now, if the *developer* was to go to jail for errant and grossly negligent practices (i.e. using off-the-shelf code and libraries, externally hosted or not, with zero understanding or care of the potential implications), then perhaps these f**k-ups wouldn't happen at all. As it stands we have an IT market flooded with polyglot morons who think plugging frameworks and libraries together like lego bricks is actually worthy of £600/day, before they run off to their next contract and leave the steaming pile of non-performant and insecure crap behind them.

            1. Kabukiwookie

              Re: We take the protection of our customers’ data very seriously.

              Now, if the *developer* was to go to jail for errant and grossly negligent practices (i.e. using off-the-shelf code and libraries, externally hosted or not, with zero understanding or care of the potential implications), then perhaps these f**k-ups wouldn't happen at all.

              Most of these f**k-ups only happen, because with every IT project, corners are being cut to meet arbitrary dead-lines (often linked with bonuses for management for finishing early/under budget).

              As it stands we have a market flooded by f**k-ups who think they're able to manage a project, who are paid well over £600/day, but are too moronic to listen to the highly paid experts when they tell them not to cut any corners. Only a poor crafts-man blames his tools.

              1. Anonymous Coward
                Anonymous Coward

                Re: We take the protection of our customers’ data very seriously.

                I will now forever associate BA with Bloody Agile.

          2. Kabukiwookie

            Re: We take the protection of our customers’ data very seriously.

            No-one in their right mind would take a CTO job if this was the case.

            You mean, nobody who doesn't know anything about security, how to enforce it and check that subordinates are indeed implementing said security would take the job.

            And that's exactly the purpose.

            Someone who cannot ensure that subordinates are doing what they're supposed to be doing should not be in any position of power. C-level management requires a person to have leadership skills, not being best golf-buddies with members of the board.

            1. el-keef

              Re: We take the protection of our customers’ data very seriously.

              Anyone with that level of security knowledge would know that's it's essentially impossible to guarantee absolute security. While there's definitely a lot most companies could and should do, there's always going to be some zero-day exploit that could bite you. Spectre and Meltdown have shown we can't even trust the basic hardware underpinning everything.

              Why would anyone take the risk that a new form of exploit out of your control could send you to jail? You'd have to be mad.

              If you somehow think imposing this level of penalty would magically make everyone write every line of code from scratch, including the OS, and CPU microcode, to ensure every single byte has been thoroughly inspected, then you misunderstand how business works.

              1. Kabukiwookie

                Re: We take the protection of our customers’ data very seriously.

                If you somehow think imposing this level of penalty would magically make everyone write every line of code from scratch, including the OS, and CPU microcode, to ensure every single byte has been thoroughly inspected, then you misunderstand how business works.

                Of course it would would not magically happen, it would require real work. Things 'magically happen' because someone else will take care of it is the current way of thinking, where C-level management is absolved from any wrong-doing, because they're 'not able' to control what everyone else in the company is doing.

                The key term here is 'due diligence'. Right now a lot of top management has no interest in ensuring they do a good job, since they are able to hide behind the excuse that they can't control what's happening on the lower rungs in the company.

                misunderstand how business works.

                I understand very well how businesses (and their internal politics) currently work and I also understand quite well what it would take to make them work well. You however don't seem to understand human nature.

                Without an incentive to actually get off their ass, nothing will happen. Since larger and larger carrots don't seem to work, maybe it's time to apply the stick.

                1. el-keef

                  Re: We take the protection of our customers’ data very seriously.

                  "Without an incentive to actually get off their ass, nothing will happen. Since larger and larger carrots don't seem to work, maybe it's time to apply the stick."

                  I agree with this statement, I just disagree that a stick which involves CTOs going to jail will be effective.

                  I actually think the GDPR, if it's actually implemented with vigour, provides a good stick - fining a company some large percentage of their global takings is a pretty decent incentive. But we'll see if companies wriggle out somehow.

                  1. Kabukiwookie

                    Re: We take the protection of our customers’ data very seriously.

                    fining a company some large percentage of their global takings is a pretty decent incentive.

                    Fines will be borne by the company, which will translate it into their cost. This means that with the large oligopolies that we're currently having, the customer eventually pays for the f**k-ups of poor management.

                    I am not saying CTOs should immediately go to jail without any investigation, but if their Security Officer has been warning the CTO time and time again that things need to be improved and the CTO doesn't act, the CTO did not perform his/her 'due diligence'. This should be at the very least a fire-able offence without pay / golden parachute.

                    The issue I have with this is that even if this happens (it does not), that incompetent previous C-level manager will happily start working somewhere else at the same level, due to his golf-buddies and f**k things up there.

                    Jail time seems to be the only way to actually get the message across. It doesn't even have to be years (I am actually against long incarceration), but even a few months being deprived of their freedom will quickly change not only their perception of the seriousness of the job, it will also change the perception of the next board looking to hire C-level managers.

                    I have no problem with competent managers being compensated properly. I have a problem with bumbling fools being elevated above their capabilities, f**king up things for all employees in the company, then move on to the next one using their golden parachute.

                    1. Gordon 10 Silver badge

                      Re: We take the protection of our customers’ data very seriously.

                      @wookie. I agree with the seniment of your post. BA aren't anywhere near an oligopoly though...

                    2. Anonymous Coward
                      Anonymous Coward

                      Re: We take the protection of our customers’ data very seriously.

                      I would give them jail time in the check - in area so they can explain face to face to me why they were there.

                  2. G_Man

                    Re: We take the protection of our customers’ data very seriously.

                    You can see from the relative swiftness and number of comms channels with which BA have informed their customers, that they are trying to mitigate any potential ICO fines under that part of the DPA 2018 legislation.

                    What remains to be seen is if future announcements follow previously attacked companies' behaviour: a slow drip of info that more customers were affected; that the attack had been going on much longer...

    4. Norman Nescio Silver badge

      Re: We take the protection of our customers’ data very seriously.

      There's a very interesting post on PPRuNe which appears to challenge the idea of BA taking the protection of their customer's data seriously.

      PPrune: Thread: BA hacked but they're 'deeply sorry' Posting: website security

      To summarise with some quotations taken from the above post on PPRuNe by 'kristofera':

      1) Boatloads of 3rd party JS loaded from external sources

      2) No SRI signatures to ensure scripts have not been tampered with

      3) No CSP header to block script from "other" sources to be injected...

      I'm not an expert in any way shape or form in this area, but it doesn't sound good.

      1. Norman Nescio Silver badge

        Re: We take the protection of our customers’ data very seriously.

        Just to reply to my own posting, the writer of the PPRuNe posting has their own blog which goes into more detail, posted in May this year.

        KristoferA's blog:Things you probably don't want to do on your [airline] website's payment pages

        I have no connection with KristoferA, but thought it might make an interesting, if sobering, read, especially for anyone involved in PCI-DSS compliance.

      2. uqrxur

        Re: We take the protection of our customers’ data very seriously.

        I wouldn't presume subresource integrity to be already a mainstream defense, but the absence of a CSP header and the script loaded from untrusted sources would typically qualify for an act of negligence on a website like BA's.

        Now I'm not sure the CEO should be the one losing seat for this.

        I'd need to know whether

        1) security threat modelling teams did not spot the threat or issued poorly crafted warnings to the website project team,

        2) whether some project manager skipped the requirement because "security stuff" or

        3) whether a developer cheated by marking it "done" or

        4) whether the security testing team didn't spot or follow up the issue or

        5) wether the fix made it to the code and somehow did not end up on the website.

        6) etc.

        In such cases, root cause a analysis is key to understanding who or what processes were responsible to allow improvement. If BA just fires one person over this then we'll know they aren't doing RCA correctly.

        I still cross paths with security testing teams that can't issue anything more detailed than a "setup a CSP header" instruction without explaining why or what should be in the header.

  5. StuntMisanthrope Bronze badge

    A royal flush.

    Even after the last debacle, it's still vacant and a 100% return on the flop. Give us a clue. It's not suite, it's not colo(u)rR or token. #information

  6. Anonymous Coward
    Anonymous Coward

    Great timing...

    Subject: Group IT Cyber Security Update

    From: John Hamilton

    Sent: 01 August 2018 13:56

    All,

    Organisations across the world are facing a significant rise in more sophisticated and persistent cyber threat activity, and increasing regulatory requirements.

    Group IT has been looking at a group solution to strengthen our capability to continue to protect IAG and its operating companies (OpCos). Internal and external reports undertaken highlight that further investment is required in cyber security across IAG to provide a group-wide strategic and proactive approach.

    We have therefore outlined proposals to set up a Cyber Security Office and transfer the services of Cyber Security to a third-party partner, IBM, as a managed service to cover all cyber security services required to support IAG and its OpCos. Security Operations services will remain in Service Operations, Tower 3, in Service and Infrastructure.

    This proposal has been approved by the British Airways Management Committee (MC) for the start of a collective consultation process with BA colleagues and their representatives. We will of course, listen to and evaluate any alternative proposals put forward and are committed to consulting with affected colleagues within the applicable local and legal frameworks.

    We recognise and appreciate this proposal will mean a period of uncertainty and concern for colleagues working in the Cyber Security function. Should you have any questions or concerns, please speak to your line manager.

    Regards,

    John Hamilton and Laurie Diffey

    John Hamilton | Group IT Service Effectiveness Manager

    WTS

    IAG GBS, Waterside (HAB2)

    PO Box 365, Harmondsworth, Middlesex

    UB7 0GB, United Kingdom

    (sat nav UB7 0GA)

    1. StuntMisanthrope Bronze badge

      Re: Great timing...

      Manager, you bunch of wankers. It's not law, it's not fuck-wittery, I'd listen to the team, plus think on that.

    2. Anonymous Coward
      Anonymous Coward

      Re: Great timing...

      "third-party partner, IBM, "

      Hmm... why do those three letters keep on appearing around recent IT f'ups ?

      1. Anonymous Coward
        Anonymous Coward

        Re: Great timing...

        In my experience, outsourcing anything, let alone security, to India is a bad idea. I’m sure there’s good stuff out there but I’ve yet to come across it personally, sorry to say.

      2. Beavis-101

        Re: Great timing...

        possibly more like Leighton together with whoever [Tata] took on their onshore outsourced (hacked) systems after they sacked all their own BA developers a few years back.

      3. DuchessofDukeStreet
        Black Helicopters

        Re: Great timing...

        Maybe IBM are employing a team of saboteurs to cause major issues at companies possibly considering using them, so they can ride in to the rescue and charge gazillions in consultancy fees....

      4. Anonymous Coward
        Anonymous Coward

        Re: Great timing...

        In both recent major UK cases IBM were brought in because they fix things for others.

        1. Anonymous Coward
          Anonymous Coward

          Re: Great timing...

          A company not a million miles away from me had a bit of a security problem in the recent past as they too ran into the arms of IBM to try and make things better post-event.

        2. Anonymous Coward
          Anonymous Coward

          Re: Great timing...

          "In both recent major UK cases IBM were brought in because they fix things for others."

          I wouldn't trust IBM to tie my shoelaces.

          Not only the act, but I dread to think of the consultancy fees before an engineer is even deployed to tie the the laces.

    3. JimboSmith Silver badge

      Re: Great timing...

      That's the secret of good comedy........timing.

      1. JimboSmith Silver badge

        Re: Great timing...

        That's the secret of good comedy........timing.

        Except there's nothing funny about this.

      2. Rich 11 Silver badge

        Re: Great timing...

        That's the secret of good comedy........timing.

        That's the secret of good com....timing....edy.

        FTFY.

    4. Anonymous Coward
      Anonymous Coward

      Re: Great timing...

      Agree the timing has some comedic elements to it but again its showing that many organisations just don't know how to run an effective SOC and in turn Cybersecurity practices. Skills are at a premium and surely its better to outsource this to vendors who can provide effective management of these processes. It seems most of orgs just capture everything via some SIEMS and react when the brown stuff explodes in their faces.

  7. Anonymous Coward
    Anonymous Coward

    "'We take the protection of [insert the usual sht here] 'very seriously'"

    Bet you take front page media fallout and GDPR fines 'very seriously' though! BA robbed 2 grand off my family in denied flight refunds once. So forgive a moment of smugness here, but it feels good to watch executives squirm today.

    Not that it will affect their bonuses. That's what GDPR needs to do next, Senior-Executive-Bonus-Clawback. Now that would concentrate minds 'very seriously'.

    1. Cavehomme_ Bronze badge

      Re: "'We take the protection of [insert the usual sht here] 'very seriously'"

      Easyjet are far worse with their refunds and compensation.

    2. Arkyn

      Re: "'We take the protection of [insert the usual sht here] 'very seriously'"

      Maybe a stint of jail time for negligence if it can be proved that they skimped on security or failed to fund the implementation what their internal security teams were no doubt telling them.

  8. Jim Willsher

    I have a BA Amex and I make bookings every week with BA. I just phoned the BA Amex card number (from India, where I am now) and there's a recorded message "We are aware blah....you are not liable blah....there is no need to take any action at this time".

    So no panic from them, it seems.

    My previous booking (in the time frame) was done on ba.com whilst logged in and I used my saved card details, just having to enter my CVV. I wonder if that helped or not, given that I didn't have to actually key in a bunch of stuff? Depends where the malware was plonked, I guess.

    1. Anonymous Coward
      Anonymous Coward

      There also seems to be 2 different code streams for bookings running on BA's :

      The new "modern" look, on the main site, and the older version if you go in through your Executive Club page.

      1. Jim Willsher

        Yes, and I always use the old one via BAEC as the new one is fugly and horrid to use.

        1. Anonymous Coward
          Anonymous Coward

          "Yes, and I always use the old one via BAEC as the new one is fugly and horrid to use."

          The new one is both horrid to use and the business logic is completely broken.

          For example, explicitly tell it you want flights departing from LHR (Heathrow) and it will give you answers for Gatwick and every other "somewhere near London" airport.

          The result is instead of a page listing three or four flights, you're dumped with a page listing 20–30 which you then have to scroll through.

  9. Charles Smith

    Good choice Alex

    Alex Cruz is to be commended in his great choice in TCS as part of his mission to destroy BA. I'm sure the UK IT techicians made redundant will have a wry smile as they munch their toast this morning.

  10. Mike 137

    It's not 'theft'

    To steal (i.e. to commit theft) in English law is to 'permanently deprive' the victim of what is stolen. Unless the data were deleted at source by the perps after they got hold of it, it's exfiltration not theft. If the perps go on to take funds using the exflitrated card data that will be theft.

  11. kbb
    Headmaster

    ...separated by a common language

    Tsk. All these comments and no one has mentioned the missing 'u'? Even their American Advert with prices in dollars had the UK spelling of favourite. ;)

  12. Potemkine! Silver badge

    "We take the protection of our customers’ data very seriously"

    ROTFL,

    PR BS makes things look worse, by making people saying it look like buffoons without any credibility.

  13. Alan_Peery

    Missing from the press release -- CVV status

    The press release from BA says "financial details" but fails to specify if the CVV was also disclosed, or it is was not as it was only held in memory during the operations.

    Curious omission.

    1. Chris Miller

      Re: Missing from the press release -- CVV status

      The spokesbeing on R4 this morning confirmed (a) 'all the data was encrypted' and (b) including CVV numbers.

      Those familiar with PCI-DSS will be aware that two of its main requirements are that credit card data must be encrypted (tick), and that CVV numbers must NOT be retained on the system, even in encrypted form (whoops). The problem isn't so much with PCI-DSS in principle (though there are problems there, too), but the 'enforcement' mechanism. This is basically that the credit card provider will charge you more for transactions if you're not PCI-DSS and (more significantly) that it's the merchant who is responsible for settling any fraudulent transactions.

      But this enforcement mechanism becomes almost irrelevant if you're a tier 1 customer, doing billions a year (like BA). These guys don't have the same arrangements with the credit card companies that a small corner shop would have, it's an individual deal and non-compliance with PCI-DSS isn't a deal-breaker (as long as you can say "yes we're aware of this issue an have plans in place to resolve it ...").

    2. Ochib

      Re: Missing from the press release -- CVV status

      According to the Radio 4 interview, the following information was stolen

      1) Credit Card number

      2) Expiration date

      3) CVV number

      4) Name

      5) DOB

      And he wanted to tell how the information was stolen, but it was very complicated (subtext it was in a report he read, but it wasn’t written in a language he understood)

      1. Chris Miller

        Re: Missing from the press release -- CVV status

        Latest seems to be that the data was stolen'in transit', which would account for the presence of CVV numbers.

        1. Androgynous Cupboard Silver badge

          Re: Missing from the press release -- CVV status

          380,000 cards in 3 weeks? Seems like a lot. Apparently they fly 145,000 passengers/day, so if nothing else it's likely the attack was across the whole company not one region.

        2. James R Grinter

          Re: Missing from the press release -- CVV status

          Co-inky-dinkly, my Amex card just got abused last night. At least twice, before I was able to make the call and get it blocked.

          Nothing massive, just a couple of online services taking a preauth - possibly an abuser “testing” the numbers. Now I’ve not flown BA for a while: I probably have used that card number with them in the past, though it would be a different expiry and CID.

          But there’s a few other orgs that held that card’s details, at least three of which are “big enough” to have been storing numbers themselves instead of a third party system. I hope none of them have been hit, for that would be very messy indeed.

  14. Andrew Moore Silver badge

    So....

    380,000, when adjusted for PR arse-covering, is 3,800,000 in reality...

  15. Fred Dibnah

    From their FAQs

    "Should I call my bank or cancel my credit cards?

    We recommend you contact your bank and follow their recommended advice."

    Talk about passing the buck. WTF is 'recommended advice'?

    Glad I'm not a customer (never liked them, especially since they started flying international only out of London).

  16. Must contain letters

    And it doesn't help that when I called one of my banks (3 cards effected FFS) they said I should change the PIN on my card. WTF. Only when I asked for my card to be stopped and a new card please did they say that yes thats a good idea.

  17. Nano nano

    No bonus this year ....

    "Under the GDPR, supervisory authorities will be given significantly more powers to enforce compliance and will have the power to impose administrative fines, in the case of an undertaking, of up to 4% of the total worldwide annual turnover of the preceding financial year"

  18. philipbaker

    Cant change BA password

    Even though I've not booked on BA.com for over a year so unlikely affected, although not holding my breath... I thought I'd change my password as always good practice when a site get's compromised, but their password reset function appears broken, so right now can't even change password!!

  19. Aladdin Sane Silver badge

    We take the protection of our customers’ data very seriously

    Bullshit.

  20. Dr_N Silver badge
    Trollface

    AmEx's lines have been engaged all morning

    I wonder why?

    1. Anonymous Coward
      Anonymous Coward

      Re: AmEx's lines have been engaged all morning

      They're doing nicely ?

  21. pleb

    Value for money

    Unless the fine is bigger than the savings made by outsourcing IT to India then it will be seen as money well spent.

  22. Rufus

    Chat bots and interview

    I wonder if BA had a "chat" service to help customers during the booking process:

    https://www.theregister.co.uk/2018/04/05/sears_delta_customer_payment_cards_hacked/

    Quick clip from Radio 4 listing what was stolen:

    https://www.bbc.co.uk/programmes/p06kjsw3

    The full Radio 4 interview is worth listening to, more for what isn't said about the breach....

    https://www.bbc.co.uk/radio/play/b0bgp8g6

    Starts at 1:50:30

  23. steamdesk_ross

    It might not have been a keylogger...

    People seem to keen to blame third party javascript code and/or a hack on the website but given the long and precise date range over which data was stolen, Occam's razor suggests to me that a one-off theft of a single DB might be the truth. Of course, that would also suggest that they *were* storing CVV codes in their DB. But it does seem more likely to me than the notion that they had a compromised, busy public website on which a data leakage hack was able to operate unspotted for such a long time...

  24. StuntMisanthrope Bronze badge

    The shout was meant be louder.

    This is systematic failure of a known corporate weakness to invest for the long term shareholders st the behest of personal gain. It’s nothing less than outright gross incompetence at a international infrastructure at brand level. #elwallace

  25. low_resolution_foxxes

    Friends with a victim

    My work colleague mentioned she was hit by this hack a few days ago.

    She claims they stole her AMEX details from BA and purchased a number of BA flights with it. I cannot help but think that is an odd choice for a hacker, passport control would be an adrenaline thrill wondering whether the flight had been flagged as fraud or not.

    1. StuntMisanthrope Bronze badge

      Re: The shout was meant be louder.

      #cybermiles

    2. StuntMisanthrope Bronze badge

      Re: The shout was meant be louder.

      It’s beyond a fucking outrage. The hackers did it. No you didn’t do it, you didn’t want to listen, or look stupid. Well now here it is. #toldyousoinassembly

  26. 0laf Silver badge
    Facepalm

    Sophisticated atatck

    It's always a sophisticated attack isn't it. To start with they like to make out it was the equivalent of an 5yr long NSA funded Mossad developed program of industrial espionage.

    In 3 months we'll find out they were hacked by a bright 11yr old that stumbled on one of their remote access logins with a null password.

    Either that or a manager clicked on a phishing link really thinking he was getting "Genuine grad A top qwaliti Viagrae".

    Oh and I've flown BA a few times with increasing levels of uselessness and farce followed by their best attempts at ignoring me in the complaint process. I've flown with many carriers including Ryanair and EasyJet and in my own personal experience BA have been the worst to use.

    1. low_resolution_foxxes

      Re: Sophisticated atatck

      The bigger problem with BA is that their pensions liability is gigantic.

      Roughly 10-11% of your ticket price is going to pay for the historic final salary pensions, apparently for the pilots that is £100+k. Yet alone paying for the future pensions..

      1. Anonymous Coward
        Anonymous Coward

        Re: Sophisticated atatck

        I knew I should have become a pilot, it's simpler than IT and pays more.

  27. Londonerjk

    Minor email fail

    I was affected by the breach and got an email from them (without a lot of detail). I replied back asking for details and was given an undeliverable message

    "mr1-0.bo3.e-dialog.com rejected your message to the following email addresses:

    Your message couldn't be delivered because the recipient's email system reported the following error: '550 5.8.5 For security reasons we do not accept messages containing images or other attachments. We respectfully suggest you remove any image or attachment (this may be your corporate signature) and resend. Thank you."

    Turns out it was the images in their message to me include in the reply string - I deleted that and my message got through to them (but no reply yet). Seems a bit odd to send an email and then reject a reply because it's potentially insecure due to their own message ...

  28. Anonymous Coward
    Anonymous Coward

    Outsourcing is never a good idea

    Been in IT for 20 years now. Seen a lot of the India outsourcing companies and how they operate and they never come close to a UK team competence.

    I'll have to keep my comments light for libel reasons. I've worked with TCS personally and I have personally experienced a lack of technical skills when they were claiming to be specialists. That's especially hard to take when you see someone that is competent being made redundant to make room for them. In the end, you build a rapport with the TCS technicians, after all, they are human and they are merely a cog in the Tata machine. When you find yourself having to find an extra number of hours a week to clean up after them though, it gets harder to digest.

    When I worked with them, I found myself scrutinising everything they did. Reviewing every line of code and config, because the level of inconsistencies and errors was high. We found ourselves constantly chasing TCS for actions which ultimately, delayed projects and caused additional expense in onshore teams due to replanning and repeat effort. I have personally seen a farm of servers built by TCS. Every single server looked different and had it's own problems. Classic inexperienced stuff like setting different file ownership/permissions on each server which left a server open to an attack. This is the sort of thing an experienced member of staff solves with scripting and automation.

    The costs of outsourcing are not clear. There is an indirect cost on everyone else, covering up and keeping the business running.

    You would think these outsourcing companies would learn from their mistakes, but that takes personal responsibility and that isn't profitable. I have worked with a TCS team that changed it's staff on a monthly basis. It just felt like setback after setback. Instead of continuos improvement, you find yourself training the next offshore guy because the previous offshore guy told him half a story and didn't write up a process for transition.

    I could blame TCS all day long for this sort of stuff, but I have to hold UK based Project Managers and Senior Managers accountable. They are the ones hiring these guys. They are the ones not holding them to account. They are often the ones that do not know IT and are merely there because they know the business. They are the ones that might have done some coding 20 years ago when things were very different and are therefore out of touch. They are the ones that are not auditing offshore for their true cost and just accepting this as IT culture. The sooner IT starts treating bugs and defects as incompetence, the better. Right now, you're a hero when you release something broken and fix it. I can't think of any other profession where you reward a tradesman for making a mess of the first attempt, then pay him extra to fix it and take him/her out on a night out to celebrate.

  29. jms222

    Damp squib/squid

    Now get off your pedalstool!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019