British Airways reeling from payment data breach

The personal and financial details — including payment card numbers — of 380,000 online customers of British Airways have been stolen in a data breach.

The airline disclosed that customers using its website and mobile app between 21 August and 5 September had their personal details compromised in the breach.

As well as card numbers, compromised information included names, billing addresses and email addresses, but no travel or passport details.

The breach is believed to be the subject of a criminal investigation. British Airways has been criticised for not providing many details about the method of the breach, and may now need to keep this information under wraps due to the investigation.

British Airways has promised to ensure that no customer loses money from fraud as a result of the breach, which could require the company to make significant compensation payouts.

An analysis of the breach conducted by Ubio CEO Marcus Greenwood concludes that the breach likely involved the use of cross-site scripting (XSS), made possible due to a misconfiguration allowing third-party JavaScript code to run on the airway’s payments page.

The analysis was published shortly after security researcher Mustafa Al-Bassam revealed on Twitter that British Airways changed the third-party JavaScript code it uses on its website some time between 20th of July and 20th of August — the day before the breach first occurred — as a result of a privacy complaint he had made.

Al-Bassam had filed the complaint after accusing British Airways of leaking customer booking data to Google, Twitter, LinkedIn and other third-party trackers and advertisers on check-in, without the customer’s consent. He said British Airways had changed the code to modify this practice.

He speculated that this change may have triggered a chain of events that led to the payment data being compromised, which ironically included his own credit card data.

Natterbox Managing Director and VP for Asia-Pacific Charles Heunemann said exploiting cross-site scripting allowed the attackers to compromise date without breaching the encryption on the British Airways website.

Heunemann suggested that a number of Australian companies have similarly lax security practices to British Airways.

“In Australia, credit card handling practices also fall short of PCI compliance particularly when it comes to conducting transactions over the phone with major financial and services who routinely accept [card numbers] and CCV while the call is being recorded,” he said.

“It’s really only a matter of time until similar breaches are exposed in Australia compelled under the rules of the new Notifiable Data Breaches (NDB) scheme. Merchant organisations do not need to retain or store card holder data.”

Image credit: ©stock.adobe.com/au/potowizard

Please follow us and share on Twitter and Facebook. You can also subscribe for FREE to our weekly newsletter and quarterly magazine.