BA Data Theft

Back to Forum

This topic contains 85 replies, has 37 voices, and was last updated by  capetonianm 17 Jul 2019
at 14:05
.

Viewing 11 posts - 76 through 86 (of 86 total)

  • canucklad
    Participant

    BA to be fined 1.5%( £183M) of it’s annual takings as a result of their carelessness.
    apparently they’re going to appeal
    Does this mean 50p more for a G&T : )


    capetonianm
    Participant

    Rather than fining them, they should be forced to invest into better IT systems and staff.


    w8ster
    Participant

    I agree with the fine but I’d like to get some as a traveller (not just BA) some clarity around how the authority will be using the money to benefit the overall information security for the industry.

    5 users thanked author for this post.

    SimonS1
    Participant

    Rather than fining them, they should be forced to invest into better IT systems and staff.

    Would you seriously trust BA on that front?


    CathayLoyalist2
    Participant

    Surely a fine of that magnitude, if the appeal fails which I hope it does, should see the immediate departure of the CEO?


    canucklad
    Participant

    From the BT news article ……..

    Commenting on the news BA’s chairman and chief executive Alex Cruz said:
    “We are surprised and disappointed in this initial finding from the ICO. British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologise to our customers for any inconvenience this event caused.”

    Meanwhile Willie Walsh, IAG’s chief executive, said:
    “British Airways will be making representations to the ICO in relation to the proposed fine. We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals.”

    Is Cruz’s comment about the leak not affecting people a bit wide of the mark ?

    I too wouldn’t trust BA to use the money to invest in strengthening its IT security. It (IAG) is obsessed with shareholder dividends and increased YOY growth in its profit margins. More likely IAG’s top team are , as we speak trolling through the yellow pages to get a no win-no pay lawyer onto the case.

    On a serious note, is not unprecedented for regulators to up the fine if the appeal isn’t held up, so BA must be quite confident that they’ll win. Alas for BA, I think the severity of the fine is not just down to the amount of personal customer details compromised but the release of the CVV numbers as well was probably too much for the ICO to stomach


    SimonS1
    Participant

    Can’t say I’m surprised given the general level of penny pinching at BA. Another serious IT failure last weekend and now this mega fine.

    The ice must be getting thin for Alex in his flak jacket. Comments about not knowing any victims of fraud are at best disingenuous and at worst quite disdainful of those who were inconvenienced.

    You can tell times are tough when the duty team on the FT BA forum don’t step in with a string of Vintage Krug style comments. The fact that they have resisted trying to polish this model is a good indicator of general sentiment.


    capetonianm
    Participant

    Comments about not knowing any victims of fraud are at best disingenuous and at worst quite disdainful of those who were inconvenienced.

    Jacob Zuma infamously claimed not to have known anyone who died of AIDS. This is the same level of dangerous disingenuity and dishonesty.

    1 user thanked author for this post.

    SimonS1
    Participant

    Comments about not knowing any victims of fraud are at best disingenuous and at worst quite disdainful of those who were inconvenienced.

    Jacob Zuma infamously claimed not to have known anyone who died of AIDS. This is the same level of dangerous disingenuity and dishonesty.

    But he did take a shower 😉


    mkcol74
    Participant

    So I’ve seen a few adverts for a group litigation like this one and was wondering – worthwhile, or just leave well alone?


    capetonianm
    Participant

    I wonder if anyone else spotted this. I’ve been banging on about it for ages, it was only a matter of time before this and other weaknesses were exploited :

    Amadeus! Amadeus! Pwn me Amadeus! Airline check-in bug may have exposed all y’all boarding passes to spies
    Patched IDOR hole would have been child’s play to exploit

    Updated A now-patched vulnerability in the Amadeus flight reservation system – used by airlines around the planet – could, or may, have been exploited by miscreants to view strangers’ boarding passes.

    David Stubley, CEO at UK security consultancy 7 Elements, told us last night he discovered the privacy-busting flaw, which was present in the Amadeus check-in application used by airlines.

    Specifically, Stubley explained, when a traveler went to view their boarding pass, Amadeus presented the paperwork on a page with a URL that includes the passenger’s ID number. This ID number could be changed to another number to call up other boarding passes from other Amadeus customers, such as British Airways, Air France, and United Airlines, without any further authentication. Just change the number in the web address bar and hit enter to fetch the pass for that ID number.

    This is a classic insecure direct object reference (IDOR) vulnerability, which can be exploited to enumerate through records that otherwise should be off limits. Here is an example check-in URL with the passenger’s ID number in bold:

    https://checkin.si.amadeus.net/1ASIHSSC … uctIndex=0

    Stubley told The Register the flaw could be exploited in both websites and apps for airlines that use Amadeus’s technology to handle their reservations and boarding passes – that’s roughly half of the world’s major carriers.

    “Originally it was found when using an airline’s mobile app for check-in,” the CEO said. “Once you have the URL you can then access directly without needing to use the website or mobile app.”

    The bug was privately disclosed to Amadeus and was patched prior to public disclosure, so airlines and their customers are already protected. Still, the disclosure is hardly a ringing endorsement for Amadeus in the wake of the company’s previous infosec gaffes.

    The ability to pull up boarding passes would, at best, be a potential disclosure of personal information as a snoop could see things like flight dates and times, and possibly use that to collect other information.

    More seriously, the downloaded boarding passes would be valid, meaning a scumbag who printed out the pass, arrived before the actual customer, and was able to somehow get past security could use it to get into restricted areas or a flight.

    “It should be noted that additional security controls may restrict the successful use of a boarding pass that has already been used to gain access airside,” said Stubley. “However, those controls are not uniformly deployed across all airports.”

    Amadeus sent us the following statement:

    “Amadeus recently became aware of a configuration flaw affecting its Altéa Self Service Check-In solution. Our security teams took immediate action and the vulnerability is now fixed. We are not aware of there having been any further unauthorized access resulting from the vulnerability, beyond the activity of the security researcher. We regret any inconvenience this might cause to our customers.” ®
    Updated to add

    “Amadeus recently became aware of a configuration flaw affecting its Altéa Self Service Check-In solution,” Amadeus told The Register in a statement.

    “Our security teams took immediate action and the vulnerability is now fixed. We are not aware of there having been any further unauthorized access resulting from the vulnerability, beyond the activity of the security researcher. We regret any inconvenience this might cause to our customers.”

    1 user thanked author for this post.
Viewing 11 posts - 76 through 86 (of 86 total)
You must be logged in to reply to this topic.
Business Traveller July / August 2019 edition
Business Traveller July / August 2019 edition
Be up-to-date
Magazine Subscription
To see our latest subscription offers for Business Traveller editions worldwide, click on the Subscribe & Save link below
Polls