Hackers managed to breach and access the personal and financial details of British Airways customers who booked flights through the company’s website and mobile app in the past three weeks.
Data from around 380,000 card payments has been compromised during a 15-day span between 10:58 pm British time Aug. 21 and 9:45 pm Sept. 5. The information included personal and financial details of people who made or changed bookings during that period.
The company is in the process of contacting all affected customers and advises them to ask their banks for advice on actions they should take to protect their payment cards. Alex Cruz, the chief executive officer of British Airways, told the BBC that the company plans to compensate customers who suffer financial loss due to the breach.
According to Cruz, the stolen information included names, home addresses, email addresses, credit card numbers, expiration dates and three-digit security codes, also known as CVV codes. However, passport and other travel information, such as itineraries and frequent flyer data, was not compromised.
The theft of CVV codes provides some hints about how the attack might have happened because storing these codes is prohibited under the payment card industry’s security standards which BA adheres to. Therefore, the codes could have only been intercepted and stolen in real-time when users entered them on the website and not from a database at a later time.
Attackers have installed keylogging scripts on websites in the past to capture personal and payment card information. Over the past six months, such a campaign affected more than 7,000 Magento-based online shops.
When stored in a database for later use, payment card details are encrypted, and Cruz said that BA’s encryption was not defeated.
“No, our data is encrypted,” he said, according to Reuters. “There were other methods, very sophisticated efforts, by criminals in obtaining the data.
“It was having access to our systems in an illicit way, it was very sophisticated,” he added.
BA is the second airline that announced a data breach recently. Last week, Air Canada forced all users of its Mobile+ app to change their passwords after hackers managed to access the profile information, including names, email addresses, birth dates and passport details of some customers. In Air Canada’s case, passport and frequent flyer information was compromised, but payment card details were not.
“GDPR has placed us in a world where disclosure of data breaches are likely to occur before the full details of the attack are known,” said Tim Mackey, technical evangelist at Synopsys, via email. “On the positive side, companies are highly incented to improve the level of security monitoring they perform. While to the traveling public, a two-week window under which the attack wasn’t properly identified as such is alarming, the reality is that absent regulations like GDPR such incidents could go undisclosed for significantly longer. It is my hope that while we see an increase in disclosures in the near term, as organisations improve their software and system security measures a marked decline in successful attacks will ensue.”
DOJ Charges North Korean for WannaCry, Other Attacks
The U.S. Department of Justice has charged a North Korean man for alleged involvement in destructive cyberattacks attributed to the Lazarus Group, a hacker group believed to be working for the North Korean government.
According to the complaint filed June 8 in the United States District Court in Los Angeles and unsealed Thursday, Park Jin Hyok worked for a company called Chosun Expo Joint Venture or Korea Expo Joint Venture (KEJV) that acted as a front for supporting malicious cyber actions of the North Korean government.
KEJV had offices in China and North Korea and is affiliated with Lab 110, a component of North Korea’s military intelligence. The DoJ alleges that Park worked as a programmer for KEJV for over ten years, during which time he contributed to the creation of the malware used in the 2017 WannaCry ransomware attack, the 2016 theft of $81 million from Bangladesh Bank, the 2014 attack on Sony Pictures Entertainment and numerous other attacks and intrusions attributed by the cybersecurity industry to the Lazarus Group.
“The complaint charges members of this North Korean-based conspiracy with being responsible for cyberattacks that caused unprecedented economic damage and disruption to businesses in the United States and around the globe,” said First Assistant U.S. Attorney Tracy Wilkison. “The scope of this scheme was exposed through the diligent efforts of FBI agents and federal prosecutors who were able to unmask these sophisticated crimes through sophisticated means. They traced the attacks back to the source and mapped their commonalities, including similarities among the various programs used to infect networks across the globe.”