The breach of the British Airways website by threat group Magecart was deeper than originally thought, according to airline statements and analysis by cyber-security experts.
In what is becoming a bad week for international air travellers, British Airways has revealed that it was hacked not once but twice in recent months. It follows the news earlier this week that airline Cathay Pacific had suffered a major data breach.
BA made the second attack public on 6 September and notified the Information Commissioner’s Office (ICO). It said at the time that 380,000 credit card records were affected.
The first attack, which took place from 21 April to 28 July, was announced yesterday. It was only discovered after BA called in cyber-security forensic investigators and the National Crime Agency (NCA) to investigate the second attack. This attack is also being attributed to Magecart.
The first attack affected the holders of 185,000 payment cards. BA said that it "is notifying the holders of 77,000 payment cards, not previously notified, that the name, billing address, email address, card payment information, including card number, expiry date and CVV have potentially been compromised, and a further 108,000 without CVV".
Customers affected by the breach are limited to those who made ‘reward bookings’ between 21 April and 28 July 2018 and used a payment card.
The revelation of the new timeline indicates that Magecart was in the BA systems for longer than the company first admitted, giving the group more time to construct the second attack that enabled the group to steal credit card details with CVV numbers, according to Alan Woodward, visiting professor in the computer science department at the University of Surrey.
Woodward told SC: "The worrying part of the [second] BA attack is that it appears to have been found only when the other Magecart hack was being investigated. From the public statements, it suggests that Magecart may have been in the systems for some time, not just the limited period previously thought."
He added: "The good news is that the ‘first’ Magecart attack, unlike the second, does not appear to have harvested the CVV numbers so any credit card data should be of less value. As BA have said that they think is was the same group behind both hacks, it looks as if Magecart had several months in which to conduct their reconnaissance and hence mount such a problematic attack where they grabbed the CVV numbers."
BA said it is unable to tell whether data was removed from the site during the attack but is taking a "prudent approach" and assuming this to be the case. It advised customers to contact their bank or card issuer for advice.
BA declined to confirm whether customer data was stored on BA.com, saying this was a matter of an ongoing criminal investigation.
A BA spokesperson told SC Media UK: "This has been a complex investigation with specialist cyber-forensic investigators, and working closely with the National Crime Agency, which is why new information has come to light. It’s all part of the same criminal data theft and there’s a continuing police investigation looking into it."
GDPR data breach notification
It is unclear whether BA will have had to notify the ICO of a new data breach or whether, as part of an ongoing investigation, it falls under the previous notification.
The ICO said that it is aware of the breach but didn’t say whether BA had notified it. Asked for a comment, it simply said: "The ICO’s investigation into a cyber-attack at British Airways is ongoing. Meanwhile, we advise people who may have been affected to be vigilant when checking their financial records and to follow the advice on the ICO, National Cyber Security Centre and Action Fraud websites about how they can protect themselves and their data online."
The previous attack was originally said to have affected 380,000 card holders but BA has now revised the figure downward to 244,000. It also said that it has not had any verified cases of fraud reported from those compromised accounts.
However, it has been suggested that BA was in breach of Payment Card Industry rules regarding online processing of credit card details because the payment page loaded scripts which were not strictly necessary for payment processing.
According to Jon Baines, data protection advisor at solicitors Mishcon de Reya, the ICO would take into account the security technology and procedures deployed to protect the data when deciding on any penalties.
Baines said it was too early to say whether BA would be required to make a separate GDPR notification to the ICO. "If BA's investigations have now revealed a completely separate breach, then they would have a legal obligation to make a second report to the ICO. If, however, this latest news just constitutes further details on the original breach, they may not need to make another formal report," he told SC. "In any event though, the significant publicity means that the ICO has become aware… and will certainly be asking BA some serious questions about it."
In a statement to customers, BA said: "We are very sorry that this criminal activity has occurred. As we have been doing, we will reimburse any customers who have suffered financial losses as a direct result of the data theft and we will be offering credit rating monitoring, provided by specialists in the field, to any affected customer who is concerned about an impact to their credit rating."
It expects to be able to notify all affected customers by 5pm GMT on 26 October.
Despite this being BA’s second breach in two months, the company said it is safe for customers to use BA.com.
Matthew Aldridge, Senior Solutions Architect at Webroot, commented that attacks on the airline industry appeared to be gaining momentum. Airline customers, especially business travellers, travel a lot which would help fraudsters bypass location-based credit card protection analysis. "From a transactions perspective, the process requires various integration solutions, which each have their own weaknesses for attackers to study and target," he said.
Rusty Carter, vice president of product management at Arxan Technologies, said it was disappointing that despite plugging the previously announced breach in September, a second incident – of significantly longer duration – has only been uncovered as a result of extensive investigations by cyber-security forensic investigators and the NCA.
"It demonstrates that enterprises still do not have in place robust enough security to protect their backend systems and databases, or the measures in place to identify these attacks in real time and cut them off as soon as abnormal activity is detected," Carter said. "It is not beyond the means of organisation, especially those that process and manage such sensitive and critical information, to put in place tools that can analyse and detect threats or the exfiltration of data over a significant period of time."