[rferguson]

[quote quote=887474]For the first time ever….I disagree with rferguson.

You miss the point that all the data was “stolen”. If you have a personal burglary at home you stop and think that maybe a better alarm system could have stopped your property from disappearing….but too late.

In this case, BA had care of valuable property belonging to third parties.

We trusted BA to a certain extent to protect us. However the data was stolen, and however sophisticated, BA should have the most robust security protection system in place. And for this theft to have continued for 2 weeks is a total disgrace.

Sorry rferguson this shouldn’t have happened and for all the fluffing from Cruz, he and Walsh are ultimately responsible for this theft of our important data.

Perhaps a more expensive burglar alarm will prevent it happening again, but that would cost money….![/quote]

OPenfly – I totally get what you are saying. But until we know the facts of the data theft it’s unfair to pin the blame. Yes, we entrust organisations to keep our data safe. And yes, I understand the metaphor of having a home burglary and installing a better alarm. And if this ends up being a relatively simple case of data theft by a known method than absolutely, that’s poor. But we don’t know that yet. It could have been by an extremely sophisticated method not yet seen.

It’s been widespread in the media that if BA was complicit in the security of customers in the data breach it could face fines of up to US$600. I’d LIKE to think that would be incentive enough for BA to have had systems in place that really are at the top of what any large organisation could expect to have and it will all come out in the wash whether they did or didn’t.

The time it took BA to realise the data was stolen – I just read an interesting article online (admittedly from 2016) about data breaches. One in ten data breaches of large organisations went undetected by the company for more than a YEAR. Broken down into minutes, days, months and years it was ‘months’ that was the most common for a data breach to be detected. For example I mentioned in my first post how I had been caught up in this BA data theft and had also in the past with other organisations. The most recent was Talk Talk. The data breach had been going on for multiple months before they were aware of it. And once they were aware of it, it took them almost a month to begrudgingly notify those possibly affected. And they were rightly fined.

https://qz.com/978601/one-in-10-data-breaches-discovered-in-2016-had-gone-undetected-for-more-than-a-year/

As per my original post what I found kind of unfair was the complaints about the delay in BA notifying the concerned customers and the seeming lack of assistance. Personally, I don’t know how else BA could have reacted. Any other thoughts from anyone other than emailing everyone concerned within 24HRS, taking out full page ads in the national media?

And of course what made up the bulk of my post – ‘where’s my Avios’ compensation (roll eyes emoji).

[rferguson]

[quote quote=887493]I have had another mail from BA saying I have been impacted and the data lost includes CVV number.

I thought it was illegal for CVV numbers to be stored / retained?[/quote]

I thought the same. Not 100% sure but I think the merchant should delete the CIV once the payment is processed.

[capetonianm]

You make some good points, rferguson, and particularly about the compensation. I feel strongly about people claiming compensation over and above their actual costs or to offset inconvenience and I am not fond of the ‘compensation’ culture. I recently had an extra day and night at an airline’s expense in a city I was happy to be in, and although I was entitled to EU261 compensation on top of that, I didn’t claim as I suffered neither loss nor significant inconvenience. The people I was with all claimed.

The underlying fact remains though that BA had a duty to take better care of clients’ data, and it would appear that they have failed. As a multi-million pound global organisation, they should be three steps ahead of the criminals, not one step behind. There is little excuse for what happened, and previous events have shown that BA’s IT has been deficient in many areas in the past.

Some people might be tempted to say they have been ‘unlucky’ but generally in life the less care you take over things the more ‘unlucky’ you will be, and the reverse applies.

By the way where you said “if BA was complicit in the security of customers in the data breach it could face fines of up to US$600”, you left off some zeros, six to be exact.

You said ‘not 100% sure but I think the merchant should delete the CIV once the payment is processed.’ If you read my previous posting on this, you will see that it is automatically deleted, but some merchants manually store it, which of course is appalling practice, even if not actually ‘illegal’.

[rferguson]

[quote quote=887502]You make some good points, rferguson, and particularly about the compensation. I feel strongly about people claiming compensation over and above their actual costs or to offset inconvenience and I am not fond of the ‘compensation’ culture. I recently had an extra day and night at an airline’s expense in a city I was happy to be in, and although I was entitled to EU261 compensation on top of that, I didn’t claim as I suffered neither loss nor significant inconvenience. The people I was with all claimed.

The underlying fact remains though that BA had a duty to take better care of clients’ data, and it would appear that they have failed. As a multi-million pound global organisation, they should be three steps ahead of the criminals, not one step behind. There is little excuse for what happened, and previous events have shown that BA’s IT has been deficient in many areas in the past.

Some people might be tempted to say they have been ‘unlucky’ but generally in life the less care you take over things the more ‘unlucky’ you will be, and the reverse applies.

By the way where you said “if BA was complicit in the security of customers in the data breach it could face fines of up to US$600”, you left off some zeros, six to be exact.

You said ‘not 100% sure but I think the merchant should delete the CIV once the payment is processed.’ If you read my previous posting on this, you will see that it is automatically deleted, but some merchants manually store it, which of course is appalling practice, even if not actually ‘illegal’.[/quote]

What’s six zero’s between friends? 🙂 Yes, a huge amount of money. I will claim some compensation for loss of profit share next year due to management incompetence if that ends up being the case! lol

[esselle]

Do you really mean “complicit”, which implies they were knowingly involved in the act? Surely you mean “deficient”, which implies they allowed something to happen which was potentially avoidable?

It is the latter which would be caught under the GDPR responsibilities which now exist.

[rferguson]

[quote quote=887507]Do you really mean “complicit”, which implies they were knowingly involved in the act? Surely you mean “deficient”, which implies they allowed something to happen which was potentially avoidable?

It is the latter which would be caught under the GDPR responsibilities which now exist.[/quote]

Esselle, yes deficient would explain better. : – ) Sorry, english is not my first language and I still sometimes get my english terms mixed up.

[Johnnyg]

Taken from Sunday Times

British Airways hack was ‘a disaster waiting to happen’

A security consultant says the airline rejected his advice on its ‘woeful’ system for keeping card payments secure
The cyber-attack on British Airways by hackers who stole the card details of about 380,000 passengers was a “disaster waiting to happen”, according to a consultant hired to improve the airline’s payment systems.
Ben Oguntala worked as consultant this year at BA headquarters near Heathrow. He says he quit after concluding that new controls being implemented to prevent customer card payment data being hacked were inadequate. “I fly first class on BA and they have my credit card data so I was very concerned,” he said. “It was a disaster waiting to happen.”
Klaus Goersch, BA’s chief operating officer, sent a message to staff on Friday hailing the airline’s improved punctuality in August, which he described as a “remarkable achievement”.
The previous night BA announced it had been hit by a large-scale cyber-attack. Passenger card details and personal information were compromised by criminals over a 16-day period from August 21 to September 5 — without the airline noticing.
Customer names, addresses, 16-digit card numbers, expiry dates and the three digit CVV code on the back of the card were all stolen. The airline could be fined £500m for the breach.
Goersch’s comments were branded “crass and arrogant” by Jonathan Hawkins, 49, a BA passenger from west London forced to cancelled three credit cards because of the hack.
Oguntala, 44, founder of the card security company Payments & Co, said he was hired to help improve card payment security. But he discovered the airline had failed the international standard for card payments, called the payment card industry (PCI) data security standard, last year. The failure was not reported in the airline’s annual report.
One internal document presented at a BA meeting in April this year states: “British Airways holds a lot of sensitive payment card data. BA are subjected to the international security standard — PCI data security standard.
“By achieving compliance BA are proving to themselves, their customers and their supervisory bodies that BA are suitably protecting payment card data from malicious attack . . . In December 2017, BA failed to achieve PCI compliance.”
The document warned that an outdated system, ArcSight, was being used to store security data relating to card transactions. It is described in the document as “redundant”, “severely undermined” and “prone to failure”. The document is marked IAG GBS, which is the global business services division of BA’s parent company IAG.
Oguntala said he was shocked at the lax security surrounding credit and debit card payments at BA. “The security was woeful,” he said. “There was card data everywhere and there were no proper controls on where it was going and who was getting access.”
Oguntala, who worked for a team that reported to BA’s information security and compliance manager, considered the entire payment system needed to be radically overhauled — with a new security protocol known as tokenisation. He said he left after his advice was rejected.

Alex Cruz, BA’s chief executive, said the airline was “deeply sorry” for the breach, adding: “We will make it through this.” Asked whether he would quit, he said: “What I am considering right now is how fast we can contact our customers.”

6 users thanked author for this post.

travelsforfun, AnthonyDunn, Swissdiver, openfly, capetonianm, GivingupBA

[CathayLoyalist2]

Nwo you would think that the BBC and Sky, to mention but two media, would be all over this. How many heads will I hear rolling over the tarmac at Waterside?-none

[Tom Otley]

From the PR person at RiskIQ

“RiskIQ implicates Magecart in breach of British Airways”

Digital risk management leader shows how 22 lines of code claimed 380,000 Victims

September 11, 2018 –
RiskIQ, the global leader in digital risk management, today revealed that its researchers traced the breach of 380,000 sets of payment information belonging to customers of British Airways to Magecart, the credit-card skimming group made infamous for its July breach of Ticketmaster.

Because the attack was reported by British Airways to be web-based and targeting credit card data, RiskIQ researchers strongly suspected Magecart was behind it. Leveraging the company’s global web-crawling network, which maintains a map of the internet and enables security practitioners to analyse web pages and their components as they appear through time, they confirmed that assumption.

The attack was similar to the one leveled against Ticketmaster with one key difference: instead of compromising commonly used third-party functionality to gain access to hundreds of sites at once, Magecart operatives compromised the British Airways site directly and planned their attack around the site’s unique structure and functionality. RiskIQ’s data shows that scripts supporting the functionality of the payment forms on the British Airways’ website were copied and modified to deliver payment information to an attacker-controlled server while maintaining their intended functionality to avoid detection.

The attackers were also aware of the way the British Airways mobile app was constructed, leveraging the fact that it used much of the same functionality as the web-app and could, therefore, victimise users in the same way.

“This attack is a highly targeted approach compared to what we’ve seen in the past with the Magecart skimmer,” said Yonathan Klijnsma, head researcher at RiskIQ.

“This skimmer is attuned to how British Airways’ payment page is set up, which tells us that the attackers carefully considered how to target this site in particular.”

The researchers also found evidence that Magecart operatives may have breached the British Airways site several days before the skimming began. RiskIQ web-crawling data shows that a certificate used on the attacker’s command and control server was issued on August 15, nearly a week before the reported start date of the attack on August 21.

There’s a report from RISKIQ here

1 user thanked author for this post.

AnthonyDunn

[Cwyfan]

Is there anybody there?

BA have now just taken to hiding behind a prerecorded message saying they are very busy, so go to the website, and then cutting you off.

I would not phone if I was able to deal with what I wanted on the website>

Are they trying to lose customers permanently?

[AnthonyDunn]

Thanks to Tom and JonnyG for their enlightening contributions. The RiskIQ article is both fascinating, astonishing and deeply alarming if it THAT easy to install a discrete 22 line Javascript onto a website that handles millions of card transactions each year.

As someone who has also been impacted by this, I contacted Amex after receiving the BA notification email. Amex were entirely clear that there is no further action needed at this point in time and they will notify if new cards need to be issued.

One other point: American Express’ use of Artificial Intelligence to monitor and model expenditures and predict fraudulent transactions is so superior to almost all card issuers that it is ludicrous for retailers to decline to use them. If anything, they should prefer to take Amex and decline to take other cards owing to an appreciably lower risk of loss.

In this day and age, it would appear that any corporate which puts immediate “shareholder value” (dividends) before long-term investment in an extremely robust IT infrastructure is mismanaged and heading for a major fall. To bastardise Oscar Wilde, to suffer one IT meltdown is a misfortune, to suffer two looks like carelessness. It will be very interesting to see what emerges from BA’s future public statements to shareholders, from any criminal investigation and from what the ICO sets out when levying a fine on BA.

5 users thanked author for this post.

goldaviator, Tom Otley, Jacob, travelsforfun, CathayLoyalist2

[DerekVH]

I have received a further email from BA telling my I can have a 12 month free subscription to Experian which will alert me to any credit checks made against my name. It says go to the ProtectmyID website but does not give the web site address or include a link to the site. If I google search the site there does not appear to be anywhere to join – the BA email says join by clicking in the top right hand corner. The only think that is there is for existing members to log in.

I am worried now this is another hack!

[MartynSinclair]

So what is the answer for ‘Joe Public’ when they call into institutions. At the moment, BA are asking up to 5 different questions to insure you are who you say you are. If you are dialling into an automated call centre, you can end up pressing enough buttons to write a novel…

Yet via your app, your passwords can be stored and you are in straight away to your account.

The post by John Dunn is very alarming, but the hack into large companies is only once side of the coin, the other side is the consumer’s doorway into the online financial highway.

I even have financial institutions asking me to call in for a code to open an encrypted email, containing nothing more than a monthly fund managers bulletin, with no identifying personal references numbers.

A real life game of cat and mouse..

[Tom Otley]

[quote quote=888033]I have received a further email from BA telling my I can have a 12 month free subscription to Experian which will alert me to any credit checks made against my name. It says go to the ProtectmyID website but does not give the web site address or include a link to the site. If I google search the site there does not appear to be anywhere to join – the BA email says join by clicking in the top right hand corner. The only think that is there is for existing members to log in.

I am worried now this is another hack![/quote]

Well I hesitate to say it isn’t, but this is what we got….

“Dear Customer,

Following our email notifying you about our recent criminal data theft, we wanted to provide you with more information about the credit rating monitoring we are offering to UK customers who are concerned about an impact to their credit rating.

As you are aware, from 22:58 BST 21 August 2018 until 21:45 BST 5 September 2018 inclusive, the personal and financial details of customers making or changing bookings at ba.com, and on our app were compromised.

The personal information compromised includes full name, billing address, email address and payment card information. This includes your card number, expiry date and CVV. Unfortunately, this information could be used to conduct fraudulent transactions using your account. If you have not already, we strongly recommend that you contact your bank or credit card provider immediately and follow their advice.

We deeply apologise for any worry and inconvenience this criminal activity has caused. For your reassurance, we’re offering you 12 months of free credit and identity monitoring services, provided by Experian, one of the UK’s leading Credit Reference agencies.

Your free ProtectMyID membership

To help you to monitor your personal information for certain signs of potential identity theft, we are offering you a free 12 month membership to Experian ProtectMyID. This service helps detect possible misuse of your personal data and provides you with identity monitoring support, focussed on the identification and resolution of identity theft.

Activating your free ProtectMyID membership

1. Ensure that you sign up for the service by 12 December 2018. Your code expires after this date.

2. Visit the ProtectMyID website to get started.

3. Click on ‘Join ProtectMyID’ (top right-hand side).

4. Enter your details along with the following activation code: XXXXXXX.

This code is unique to you and only available in this email – please keep this email for reference.

Once your membership is activated, you’ll have access to the following features:

1. Unlimited access to your Experian Credit Report.

2. Credit Alerting – an email or text to let you know when certain changes happen on your Experian Credit Report, such as the addition of a new credit search.

3. Access to an Identity Theft Resolution service if you do become a victim of fraud, where you’ll have a dedicated case worker who will support you in resolving fraud that has occurred.

4. If you are at higher risk of fraud, Experian can add protective Cifas registration to your credit report which can help prevent credit being taken in your name. The Cifas Protective Registration service places a flag alongside your name and personal details in the National Fraud Database. Companies and organisations who are signed up as members of the database will see you’re at risk and take extra steps to protect you.

If you have any questions regarding this service, then please contact Experian’s Customer Support Centre on 03444 818182*. They are open Monday to Friday, 8am to 8pm and Saturday, 9am to 5pm.

Yours sincerely,

AlexCruz

Chief Executive Officer”

[DerekVH]

Thanks Tom, the link did not appear on my browser and the click to join link is in the middle of the page not the top right hand corner – you would think someone would check this before they send out possibly 380,000 emails!

[Author]

Posts