In early September British Airways revealed a significant data breach, compromising the data of 380,000 customer transactions, following what was described as a ‘sophisticated, malicious criminal attack’ on the airline’s website.
The attack itself took place between 21st August and 5th September, and saw customers’ financial data and personal details stolen, whilst making or changing their bookings with the airline. BA were quick to reassure customers that the data stolen did not include flight and passport information.
Chief Executive at British Airways, Alex Cruz, was apologetic in his statement following the attack, stating, “Overnight, teams were trying to figure out the extent of the attack…the moment that actual customer data had been compromised, that’s when we began immediate communication to customers.”
BA insisted that although customers’ financial details, such as credit card numbers and expiration data, was stored in BA’s database, it did not store the three-digit CVV code located on the back of cards. As CVV data was also retrieved in the breach, it has led security experts to believe that card details were intercepted at payment rather than stolen from a BA database. Cruz has reassured customers that should any money have been taken as a result of this breach, they would be compensated 100%.
How did the cyber-attack occur?
Although BA have not released details on how hackers managed to breach the site, some security experts believe that malicious code on the BA site extracted card details from customers the moment that they were placed into the system.
Professor Alan Woodford, a cyber-security expert at the University of Surrey, has stated that breaches of this nature are an ever-increasing issue for sites that place code from third-party suppliers onto the website. Should this third-party be compromised, then it may subsequently affect websites displaying their code.
Without confirmation from BA, it is merely speculation at this point as to the cause of the breach, an investigation is underway by the Information Commissioner’s Office. If BA is found to have failed to take every possible precaution to prevent a breach such as this from occurring again, the business could face some astronomical fines.
How can your business reduce its risk to cyber security breaches?
Cyber attacks such as BA’s affect businesses of all sizes and across all industries. Therefore, no matter if you are a start-up, established SME or large corporation, you must have effective cyber security procedures in place to keep your business’ risk at a minimum.
One of the best ways to ensure your cyber security is adequate is to speak to experts in this field, who will review and implement the most appropriate solutions for your particular business. Speak to the team at MWL Systems today to discuss your cyber security requirements.