British Airways hacked: Scale of customer data breach is 'astounding', security experts say

Data breaches of this scale rarely include credit card and other financial details

Anthony Cuthbertson
Friday 07 September 2018 09:40 EDT
Comments
British Airways Chaos at London Heathrow as cancelled and delayed flights affect 10,000 passengers

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

The scale of the British Airways data breach has been described as "astounding" and "very worrying" by cyber security experts, after hundreds of thousands of customers' personal and financial data was obtained by hackers.

Around 380,000 of the airline's customers were affected by the breach, which took place between 21 August and 5 September and was disclosed on Wednesday evening.

“The scale and nature of this attack is astounding, with around 380,000 customers knowingly affected," Ross Brewer, from security intelligence firm LogRhythm, told The Independent.

"We have heard many times of data breaches involving the theft of personal information which, whilst still very serious, doesn’t often include financial details.

"This breach involved both personal and financial information being stolen which is causing significant problems, not only for BA and its customers, but also banks which are struggling to manage the number of incoming calls to cancel credit cards."

BA said no passport or travel details were stolen but the type of data exposed means criminals could use the etails to commit fraud and make high-value purchases.

Other security experts said the airline should be more clear on what type of personal details were affected, as this could have an impact on the risk posed to customers.

"It is not clear what ‘personal’ data has been lost and in some cases this can magnify the scope of the fraud," said James Lyne, head of research and development at cyber security firm SANS Institute.

"For customers it is really important to know exactly what data has been lost so BA should offer some clarity on this as soon as possible."

British Airways chief executive Alex Cruz described the data breach as a "sophisticated, malicious criminal attack" and promised financial compensation to the customers affected.

"We are extremely sorry for what has happened. We know it has caused concern to some of our customers," Mr Cruz told the BBC.

"Our number one purpose is contacting those customers that made those transactions to make sure they contact their credit card bank providers so they can follow their instructions on how to manage that breach of data."

BA discovered major data breach on Wednesday
BA discovered major data breach on Wednesday (Getty)

The full financial impact on affected British Airways customers may not be realised immediately, however, with the bank card details likely to pass through criminal forums on underground websites before they are used.

Cyber security analyst Leigh Anne Galloway, from Positive Technologies, told The Independent: "Once hackers have hold of high-value data like card details, the market in criminal networks for reselling is huge, meaning that we may not see the effects of this theft immediately until a buyer acts.

"The best thing to do for anyone who thinks their details may have been involved, or who has been told so by BA, should keep an eye on their transactions."

Ms Galloway and other security experts advised BA customers to be wary of scam emails that use credentials taken from this breach, and should consider cancelling their credit and debit cards for peace of mind.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in