British Airways reeling from payment data breach
The personal and financial details — including payment card numbers — of 380,000 online customers of British Airways have been stolen in a data breach.
The airline disclosed that customers using its website and mobile app between 21 August and 5 September had their personal details compromised in the breach.
As well as card numbers, compromised information included names, billing addresses and email addresses, but no travel or passport details.
The breach is believed to be the subject of a criminal investigation. British Airways has been criticised for not providing many details about the method of the breach, and may now need to keep this information under wraps due to the investigation.
British Airways has promised to ensure that no customer loses money from fraud as a result of the breach, which could require the company to make significant compensation payouts.
Al-Bassam had filed the complaint after accusing British Airways of leaking customer booking data to Google, Twitter, LinkedIn and other third-party trackers and advertisers on check-in, without the customer’s consent. He said British Airways had changed the code to modify this practice.
He speculated that this change may have triggered a chain of events that led to the payment data being compromised, which ironically included his own credit card data.
Natterbox Managing Director and VP for Asia-Pacific Charles Heunemann said exploiting cross-site scripting allowed the attackers to compromise date without breaching the encryption on the British Airways website.
Heunemann suggested that a number of Australian companies have similarly lax security practices to British Airways.
“In Australia, credit card handling practices also fall short of PCI compliance particularly when it comes to conducting transactions over the phone with major financial and services who routinely accept [card numbers] and CCV while the call is being recorded,” he said.
“It’s really only a matter of time until similar breaches are exposed in Australia compelled under the rules of the new Notifiable Data Breaches (NDB) scheme. Merchant organisations do not need to retain or store card holder data.”
The Department of Parliamentary Services is investigating a "sophisticated" attack on...
The number of data breach notifications filed with the OAIC rose for the fourth straight quarter...
The growing number of data breach notifications filed during the December quarter demonstrate...