British Airways reported that its website and web app had been breached by attackers who downloaded customer data including credit card details, email addresses and postal addresses.
While details are sketchy at this point, this is what we have found out so far about the BA breach.
1. BA informed customers within 24 hours of discovering the breach
BA said it discovered the breach at 21:45 BST on Wednesday 5 September. It began contacting customers the following evening. However, the notification system was not perfect and some customers have complained that they were contacted about the breach and only found out through social media and the news media.
2. Full credit card details were stolen
While BA was keen to emphasise that stolen data did not include travel or passport details, it did include credit card details including the number, expiration date and CVV number, enough information for criminals to make fraudulent transactions.
3. Attackers were able to access data for 15 days
BA says the breach occurred between 22:58 BST on 21 August and 21:45 BST on 5 September, meaning that the attackers were able to intercept data for 15 days. During that time, BA says 380,000 customers were affected.
4. The breach was discovered by a third party contractor
Speaking on BBC Radio 4’s Today Programme this morning, BA chief executive Alex Cruz said that the breach was discovered by an outside contractor. "We have a network of partners who are monitoring continuously what happens to websites across the world. We got a signal from one of those partners and we began to work," he told the programme.
5. It took several hours to discover the extent of the breach
Cruz said that after getting the ‘signal’, an investigation was begun. "It took us a number of hours to go through and we immediately began to go into every single detail. The moment we found out that actual customer data had been compromised, that is when we began an all out immediate communication to our customers – that was the priority," he said.
6. The attackers did not have to breach the BA website to access data
Under the Payment Card Industry Data Security Standard (PCI DSS), merchants are not allowed to store CVV numbers. BA says it did not store CVV number, indicating an attacker may have compromised a third-party software and services provider.
Alan Woodward, visiting professor in the computer science department at the University of Surrey, told SC that a likely attack scenario is the compromise of a third-party software script, similar to the attack that compromised Ticketmaster.
"Typically what happens is the third-party finds they have been compromised, alerts their customers who instantly pull the code from their site. The timings given by BA are very specific so it suggests someone either started using a script at a specific time, which was then found to be compromised, or someone at the third party detected an intrusion and was able to put a specific time on it," Woodward said.
"Supply chain attacks are becoming more common precisely because they can be the weakest link and can remain undetected for longer," he said. "To their credit BA acted promptly in informing those affected, but I can imagine there may some choice discussions going on with their supplier today."
7. There were errors in the breach response
Despite the fact that an organisation of BA’s size and sophistication would be expected to have a well-rehearsed breach response plan, Cruz admitted that the first customers to receive communications from the company received an email with a blank body text. He said these emails were later resent.
8. The UK data commissioner is investigating
A spokesperson for the Information Commissioner’s Office (ICO) said: "British Airways has made us aware of an incident and we are making enquiries."
9. This is just the latest IT problem for BA
BA has suffered several high profile IT glitches that have battered confidence in the company.
In July, IT problems resulted in the cancellation of dozens of flights at Heathrow. In June, thousands of customers had tickets, which they had purchased at a reduced price, cancelled by the airline which said that they had been accidentally priced too low.
In May 2017, all BA flights at Heathrow and Gatwick were cancelled due to a severe IT fault.
10. Hacking can make your share price fall
Shares in International Consolidated Airlines have fallen by over 3.5 percent (at the time of writing) following news of the data breach.