Industry experts have commented after British Airways announced it was investigating the theft of customer data from its website and mobile app.
The airline, one of Europe’s largest, said the stolen data did not include travel or passport details and that the incident was being investigated as a ‘matter of urgency’.
In a statement released online, the company said that, from 10.58pm on August 21 2018 until 9.45pm (BST) September 5 this year inclusive, the personal and financial details of customers making bookings on its website and app were compromised.
“The breach has been resolved and our website is working normally. We have notified the police and relevant authorities,” the statement said.
“We are deeply sorry for the disruption that this criminal activity has caused. We take the protection of our customers’ data very seriously.”
Anyone who believes they might have been affected is urged to contact their bank or credit card provider and follow their recommended advice.
Further updates will be posted on the airline’s page.
Commenting on the breach, Israel Barak, Chief Information Security Officer at Cybereason, said: “The British Airways breach once again sheds light on the difficulty companies have protecting the proprietary information of their customers that is their backbone.
“Collectively, this is a blow to our privacy and British Airways joins a growing list of organisations that have faced a knock down punch. For the consumer, they should be working under the assumption that their personal information has been compromised many times over.
“As an industry until we can start making cybercrime unprofitable for adversaries they will continue to hold the cards that will yield potentially massive payouts.”
Meanwhile, Tim Mackey, Technical Evangelist at Synopsys, said GDPR has placed us in a world where disclosure of data breaches are likely to occur before the full details of the attack are known.
He said: “On the positive side, companies are highly incented to improve the level of security monitoring they perform.
“While to the travelling public, a two week window under which the attack wasn’t properly identified as such is alarming, the reality is that absent regulations like GDPR such incidents could go undisclosed for significantly longer.
“It is my hope that while we see an increase in disclosures in the near term, as organisations improve their software and system security measures a marked decline in successful attacks will ensue.”
Luke Brown, VP EMEA at WinMagic, said data loss, data theft and data breach are all phrases which are now part and parcel of the daily news agenda.
“It’s well known that data residing anywhere in a company’s increasingly complex environment is at risk unless there is a standardised ubiquitous encryption platform in place. When did we last read an article about a data compromise or breach which is then followed up with ‘but don’t worry as the data was encrypted’,” he said.
“Falling victim to cybercriminals is the new normal and all organisations need to take precautions to protect sensitive information should they become the victim of an attack.”
Jan van Vliet, VP & GM EMEA at Digital Guardian, added: “Typically, large data leaks are caused by malicious internal parties or malicious external parties that have compromised someone on the inside. In both cases, the insider could also be at a third party supplier.
“It is therefore important for companies to focus data protection programmes not only on their own infrastructure but also on third party suppliers.
“The incident serves as a reminder to all organisations to have a good understanding of critical assets (in this case credit card numbers) and how this information is used across all business units and operations. One way to ensure this is to put in place one consistent data protection policy across all parties that come into contact with these critical assets. This includes auditing third parties to ensure they have equivalent levels of protection.”
Paul Farrington, Director, EMEA at app security company CA Veracode, has called for more consistency in security and app performance in the airline industry.
He said: “The British Airways breach is just another example of how, as the amount of personal data held by organisations continues to grow, hackers are finding more sophisticated ways to gain access to this data and use it to make a profit.
“IT issues are not only affecting BA but also in the wider airline industry. Airlines have a duty to keep the planes in the air and the majority of investment goes into that. However, recent outages show investment should also be directed at technology. As airlines become ever more dependent on software, this creates a greater surface for hackers to attack and so it is no surprise that breaches of this scale are becoming commonplace.
“Customers are right to be angry. If UK businesses want to avoid becoming the next victim of a breach it is crucial that they take significant steps to secure their software, web applications and networks to ensure that they aren’t their weakest points of attack.”
Simon Edwards, Cyber Investigator, GCFA, Trend Micro, said the news shows – once again – that every organisation must be vigilant to cyberattacks.
“But what it also shows is that the General Data Protection Act (GDPR) is working. According to reports, BA has reported the breach quickly and in a highly professional manner,” he said.
“This demonstrates how important it is for organisations to plan and be prepared for cyberbreaches and to have the technology deployed which can quickly identify a breach and provide incident response teams with the information they need to brief management teams, so that they can properly communicate the breach to the wider public.”