It had to happen again, because it always does with alarming regularity.
But the exposure of 380,000 BA customer payment cards is one of the biggest single UK payment card security gaffes ever.
BA said the stolen data did not include travel or passport information.
It did, however, include the personal and financial details of those booking travel via the BA website and mobile app during the affected period.
Compromised information includes card numbers and CVV codes.
The attackers must be in cyber heaven.
If you’re looking for clues as to how the hack happened, the fact that only card information was stolen is a big one, suggesting the information was lifted from online payments just as they were being made.
This gains further weight when BA said; "From 22:58 BST August 21 2018 until 21:45 BST September 5 2018 inclusive, the personal and financial details of customers making bookings on our website and app were compromised.”
We can only speculate to how the attack was carried out but it wouldn’t be a long shot to suggest that a third party script was compromised.
- Most websites today have integrated third party scripts from a variety of sources.
- Often these scripts, loaded from vendor servers such as ad servers, analytics, or marketing, lack the level of security needed to protect visitors to the site.
- Third party scripts you likely see every day include banners, search boxes, games, videos, polls and social buttons.
- Third party code is only activated on a visitor’s web browser. This means that the company’s main site’s web server and their security measures are bypassed.
- If attackers discover a vulnerability in a third party script they can embed malicious code that can snoop and steal information such as credit card data when payments are being made and then funnel it elsewhere.
Do airline booking sites use third-party scripts?
You bet they do and sometimes excessively.
The next time you are going to pay for something online, it doesn’t have to be with an airline, and you’re on the payment page, press F12.
This will launch your web browser's developer tools, and you can see for yourself in the box to the right what third party resources are included in the payment page.
This will give you some idea of how many third party scripts are hosted on a website.
It’s well known in some technical circles that some airline websites make excessive use of third party scripts.
Desperately seeking outsourced security
It was recently revealed by the irreverent press bible of the tech industry, The Register,
that BA was seeking to outsource its cyber security.
- Just weeks before the hack BA’ parent IAG was planning to outsource its cybersecurity to IBM, after conceding it needed a strategic and proactive approach to counter threats.
- The airline expected to transfer the majority of its cybersecurity functions to IBM with the exception of its security operations services.
It’s usually not the case to outsource something if it’s working well.
Is there a link between the hack and the planned outsourcing?
We’ll let you decide.