1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

News British Airways hit by payment data breach

Discussion in 'Article Discussion' started by bit-tech, 7 Sep 2018.

  1. bit-tech

    bit-tech Supreme Overlord Staff Administrator

    Joined:
    12 Mar 2001
    Posts:
    3,528
    Likes Received:
    123
    Read more
     
  2. jb0

    jb0 Minimodder

    Joined:
    8 Apr 2012
    Posts:
    544
    Likes Received:
    87
    I actually read this article solely because I saw CVVs were stolen, and I wanted to know how that happened.
    Of COURSE British Airways isn't going to answer that question.
     
  3. Corky42

    Corky42 Where's walle?

    Joined:
    30 Oct 2012
    Posts:
    9,648
    Likes Received:
    386
    I'm guessing as Mr H didn't mention encryption neither has BA, I'm also guessing if they were using it then the ne'er-do-wells wouldn't have gotten, either directly or via MITM, away with easily usable payment details, maybe when the government said they should be allowed access to information BA just thought why bother with encryption. :)

    I bet the fines for this are going pretty big.
     
  4. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    14,632
    Likes Received:
    3,461
    Encryption - in the case of TLS - only works from browser to web server. Now, a database full of payment details should also be encrypted, it's true, but there's a gap there: between the web server and the database, the payment details are unencrypted. (I mean, they have to be, 'cos you need to use 'em to take the payment...)

    My guess would be: attackers got into the server and sat for two weeks sniffing the traffic betwix the web server and the payment processor. That means that the data was encrypted in transit, and encrypted in storage, but they still got it in the clear - and would explain how they also got CVVs, assuming BA wasn't stupid enough to break PCI DSS.
     
    Corky42 likes this.
  5. Corky42

    Corky42 Where's walle?

    Joined:
    30 Oct 2012
    Posts:
    9,648
    Likes Received:
    386
    Honestly with some of the stupid things some companies do with regards to IT and specifically security it wouldn't come as a surprise if something comes out that causes a facepalm.
     
  6. edzieba

    edzieba Virtual Realist

    Joined:
    14 Jan 2009
    Posts:
    3,909
    Likes Received:
    591
    Presented without comment.
     
  7. Mister_Tad

    Mister_Tad Will work for nuts Super Moderator

    Joined:
    27 Dec 2002
    Posts:
    13,198
    Likes Received:
    1,449
    Huh. Made a card payment to BA on Aug 20th. Fancy that.
     
  8. Goatee

    Goatee Multimodder

    Joined:
    19 Apr 2015
    Posts:
    2,047
    Likes Received:
    872
    Ditto credit card cancelled and new one ordered. Pity there is no class action lawsuit in the UK....
     
  9. RedFlames

    RedFlames ...is not a Belgian football team

    Joined:
    23 Apr 2009
    Posts:
    13,742
    Likes Received:
    2,165
    Wonder if this will be the first high-profile post-GDPR case/fine...
     
  10. yuusou

    yuusou Multimodder

    Joined:
    5 Nov 2006
    Posts:
    2,518
    Likes Received:
    595
    Booked a BA flight about a month or so ago but bought it through budgetair.nl.
     
  11. Dennis1234567

    Dennis1234567 What's a Dremel?

    Joined:
    28 Aug 2015
    Posts:
    14
    Likes Received:
    0
    I think the most important question is WHY was the CVV records retained when the internet standard is not to record them after use? It's a common sense thing, you do not retain them, ever. This has to be one the ICO.
     
  12. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    14,632
    Likes Received:
    3,461
    They weren't retained (by BA, anyway; obviously they were retained by the attacker, who you'll be amazed to hear doesn't have to adhere to PCI DSS): They were captured during the transaction by injecting a modified version of an existing script into the payment portal page.
     
    Corky42 likes this.
  13. Corky42

    Corky42 Where's walle?

    Joined:
    30 Oct 2012
    Posts:
    9,648
    Likes Received:
    386
    That RiskIQ blog post was interesting read, at least for a layman like me it was, thanks. :)
     
Tags: Add Tags

Share This Page