1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

News British Airways hit by payment data breach

Discussion in 'Article Discussion' started by bit-tech, 7 Sep 2018.

  1. bit-tech

    bit-tech Supreme Overlord Staff Administrator

    Joined:
    12 Mar 2001
    Posts:
    2,410
    Likes Received:
    43
    Read more
     
  2. jb0

    jb0 Active Member

    Joined:
    8 Apr 2012
    Posts:
    494
    Likes Received:
    66
    I actually read this article solely because I saw CVVs were stolen, and I wanted to know how that happened.
    Of COURSE British Airways isn't going to answer that question.
     
  3. Corky42

    Corky42 Where's walle?

    Joined:
    30 Oct 2012
    Posts:
    9,349
    Likes Received:
    331
    I'm guessing as Mr H didn't mention encryption neither has BA, I'm also guessing if they were using it then the ne'er-do-wells wouldn't have gotten, either directly or via MITM, away with easily usable payment details, maybe when the government said they should be allowed access to information BA just thought why bother with encryption. :)

    I bet the fines for this are going pretty big.
     
  4. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    12,693
    Likes Received:
    1,967
    Encryption - in the case of TLS - only works from browser to web server. Now, a database full of payment details should also be encrypted, it's true, but there's a gap there: between the web server and the database, the payment details are unencrypted. (I mean, they have to be, 'cos you need to use 'em to take the payment...)

    My guess would be: attackers got into the server and sat for two weeks sniffing the traffic betwix the web server and the payment processor. That means that the data was encrypted in transit, and encrypted in storage, but they still got it in the clear - and would explain how they also got CVVs, assuming BA wasn't stupid enough to break PCI DSS.
     
    Corky42 likes this.
  5. Corky42

    Corky42 Where's walle?

    Joined:
    30 Oct 2012
    Posts:
    9,349
    Likes Received:
    331
    Honestly with some of the stupid things some companies do with regards to IT and specifically security it wouldn't come as a surprise if something comes out that causes a facepalm.
     
  6. edzieba

    edzieba Virtual Realist

    Joined:
    14 Jan 2009
    Posts:
    3,289
    Likes Received:
    307
    Presented without comment.
     
  7. Mister_Tad

    Mister_Tad Super Moderator Super Moderator

    Joined:
    27 Dec 2002
    Posts:
    12,236
    Likes Received:
    733
    Huh. Made a card payment to BA on Aug 20th. Fancy that.
     
  8. Goatee

    Goatee Well-Known Member

    Joined:
    19 Apr 2015
    Posts:
    1,180
    Likes Received:
    220
    Ditto credit card cancelled and new one ordered. Pity there is no class action lawsuit in the UK....
     
  9. RedFlames

    RedFlames ...is not a Belgian football team

    Joined:
    23 Apr 2009
    Posts:
    11,519
    Likes Received:
    1,440
    Wonder if this will be the first high-profile post-GDPR case/fine...
     
  10. yuusou

    yuusou Well-Known Member

    Joined:
    5 Nov 2006
    Posts:
    2,042
    Likes Received:
    305
    Booked a BA flight about a month or so ago but bought it through budgetair.nl.
     
  11. Dennis1234567

    Dennis1234567 New Member

    Joined:
    28 Aug 2015
    Posts:
    14
    Likes Received:
    0
    I think the most important question is WHY was the CVV records retained when the internet standard is not to record them after use? It's a common sense thing, you do not retain them, ever. This has to be one the ICO.
     
  12. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    12,693
    Likes Received:
    1,967
    They weren't retained (by BA, anyway; obviously they were retained by the attacker, who you'll be amazed to hear doesn't have to adhere to PCI DSS): They were captured during the transaction by injecting a modified version of an existing script into the payment portal page.
     
    Corky42 likes this.
  13. Corky42

    Corky42 Where's walle?

    Joined:
    30 Oct 2012
    Posts:
    9,349
    Likes Received:
    331
    That RiskIQ blog post was interesting read, at least for a layman like me it was, thanks. :)
     
Tags: Add Tags

Share This Page