1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

News British Airways hit by payment data breach

Discussion in 'Article Discussion' started by bit-tech, 7 Sep 2018.

  1. bit-tech

    bit-tech Supreme Overlord Staff Administrator

    Joined:
    12 Mar 2001
    Posts:
    1,342
    Likes Received:
    22
    Read more
     
  2. jb0

    jb0 Member

    Joined:
    8 Apr 2012
    Posts:
    303
    Likes Received:
    18
    I actually read this article solely because I saw CVVs were stolen, and I wanted to know how that happened.
    Of COURSE British Airways isn't going to answer that question.
     
  3. Corky42

    Corky42 What did walle eat for breakfast?

    Joined:
    30 Oct 2012
    Posts:
    8,457
    Likes Received:
    190
    I'm guessing as Mr H didn't mention encryption neither has BA, I'm also guessing if they were using it then the ne'er-do-wells wouldn't have gotten, either directly or via MITM, away with easily usable payment details, maybe when the government said they should be allowed access to information BA just thought why bother with encryption. :)

    I bet the fines for this are going pretty big.
     
  4. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    10,745
    Likes Received:
    890
    Encryption - in the case of TLS - only works from browser to web server. Now, a database full of payment details should also be encrypted, it's true, but there's a gap there: between the web server and the database, the payment details are unencrypted. (I mean, they have to be, 'cos you need to use 'em to take the payment...)

    My guess would be: attackers got into the server and sat for two weeks sniffing the traffic betwix the web server and the payment processor. That means that the data was encrypted in transit, and encrypted in storage, but they still got it in the clear - and would explain how they also got CVVs, assuming BA wasn't stupid enough to break PCI DSS.
     
    Corky42 likes this.
  5. Corky42

    Corky42 What did walle eat for breakfast?

    Joined:
    30 Oct 2012
    Posts:
    8,457
    Likes Received:
    190
    Honestly with some of the stupid things some companies do with regards to IT and specifically security it wouldn't come as a surprise if something comes out that causes a facepalm.
     
  6. edzieba

    edzieba Virtual Realist

    Joined:
    14 Jan 2009
    Posts:
    2,529
    Likes Received:
    133
    Presented without comment.
     
  7. Mister_Tad

    Mister_Tad Super Moderator Super Moderator

    Joined:
    27 Dec 2002
    Posts:
    11,540
    Likes Received:
    375
    Huh. Made a card payment to BA on Aug 20th. Fancy that.
     
  8. Goatee

    Goatee Active Member

    Joined:
    19 Apr 2015
    Posts:
    852
    Likes Received:
    49
    Ditto credit card cancelled and new one ordered. Pity there is no class action lawsuit in the UK....
     
  9. RedFlames

    RedFlames ...is not a Belgian football team

    Joined:
    23 Apr 2009
    Posts:
    9,711
    Likes Received:
    834
    Wonder if this will be the first high-profile post-GDPR case/fine...
     
  10. yuusou

    yuusou Well-Known Member

    Joined:
    5 Nov 2006
    Posts:
    1,675
    Likes Received:
    150
    Booked a BA flight about a month or so ago but bought it through budgetair.nl.
     
  11. Dennis1234567

    Dennis1234567 New Member

    Joined:
    28 Aug 2015
    Posts:
    13
    Likes Received:
    0
    I think the most important question is WHY was the CVV records retained when the internet standard is not to record them after use? It's a common sense thing, you do not retain them, ever. This has to be one the ICO.
     
  12. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    10,745
    Likes Received:
    890
    They weren't retained (by BA, anyway; obviously they were retained by the attacker, who you'll be amazed to hear doesn't have to adhere to PCI DSS): They were captured during the transaction by injecting a modified version of an existing script into the payment portal page.
     
    Corky42 likes this.
  13. Corky42

    Corky42 What did walle eat for breakfast?

    Joined:
    30 Oct 2012
    Posts:
    8,457
    Likes Received:
    190
    That RiskIQ blog post was interesting read, at least for a layman like me it was, thanks. :)
     
Tags: Add Tags

Share This Page