Learn why British Airways faces a massive fine due to a 2018 data breach and is facing another security issue, reinforcing the need for strong data security
Just as British Airways was hit with a massive fine as a consequence of a 2018 data breach, the airline reportedly could be in trouble again for exposing passenger data to hackers.
For the airline, already facing a PR problem due to the earlier British Airways data breach, the latest news adds more problems and concerns about data security.
What Was the 2018 British Airlines Data Breach?
British Airways announced in September 2018 it had discovered a data breach that had exposed information on 500,000 customers who booked travel on its website or mobile app. Among the personal and financial data exposed in the breach were name, address and bank card information, including CVC code. No travel information was stolen.
The breach is believed to have begun in June 2018. The alleged perpetrators are Magecart, a hacking group that since 2015 has been among the most prolific card-stealing outfits. The group was able to load a card-skimmer script onto the British Airlines website. Whenever a customer submitted their payment information, the card information and name were extracted and sent to the hackers.
What Were the Consequences of the 2018 British Airways Data Breach?
In July 2019, the U.K.’s Information Commissioner’s Office (ICO) announced a fine of $230.5 million for British Airways. The privacy watchdog organization fined the airline for a breach of the General Data Protection Regulation (GDPR). The GDPR is a wide-ranging set of requirements that require companies to protect the data it collects and uses for European Union citizens.
What Does the Fine Mean for Companies?
In a statement, airline CEO Alex Cruz said the company was “surprised and disappointed” by the potential fine. The penalty represents about 1.5 percent of British Airways’ global turnover.
Critics, however, believe the fine should be a wake-up call for companies worldwide about the importance of keeping customer data protected.
“Simply put, these companies should not be ‘disappointed’; they should be better,” noted a recent pcmag.com article. “As any good medical professional knows, prevention is easier, and cheaper, than a cure. Security is no different.”
The article notes that the airline website and app were compromised by just 22 lines of code. It was a third-party Javascript vulnerability in a tool called Modernizr that led to the breach.
The airline had not updated Modernizr since 2012. Other critics noted that in addition to British Airways’ poor upgrade procedures, a robust monitoring solution would have likely detected the breach sooner than the three months it took.
What Is the Latest British Airways Data Breach?
In August 2019, the data security firm Wandera reported on a security vulnerability that leaves personal passenger information exposed when booking a reservation on the website.
The airline had previously tried to streamline the user experience by including passenger details in the URLs it includes in emails. When a passenger clicks on the URL, they’re logged in automatically and can see their itinerary and check in to their flight.
The URL includes the passengers’ name and a booking reference. However, the link is unencrypted, which means that if a passenger is using a public WiFi network — such as those often found in airports — anyone snooping could intercept the URL to get access to the itinerary to steal information or manipulate the travel plans.
With access to a passenger’s account, a hacker can access contact information, addresses, BA frequent flyer information and flight details.
What Does This Mean for Data Security?
The British Airways cases reinforce the importance of having a multilayered, comprehensive data security plan, no matter the industry in which your company operates or how large it is. As more jurisdictions mandate data protection rules, the need to secure data will only increase.
- A trusted managed services provider can assess your data security and recommend solutions that provide the best possible protection, including:
- Next-generation firewalls that monitor your network perimeter, detecting, isolating and eradicating threats before any harm can come.
- Ongoing monitoring of networks, devices and users
- Data encryption tools
- Cloud-based storage solutions for data and applications, providing for quick recovery from a natural disaster or cyberattack
- Mobile device security
- Authentication and password guidance
To learn more about how to protect your customer data, contact Nexus IT, your Utah IT support company.
You must be logged in to post a comment.