British Airways fined £183m following recent cyber attack

British Airways faced with £183m fine following 2018 data breach

Since the introduction of GDPR regulations in May 2018 the possible consequences of hacks have increased with data breaches now potentially leading to large fines.

At the back end of last year British Airways became a target of a cyber attack which compromised the financial data of it’s customers.
For a period of around 2 weeks hackers exploited the British Airlines website undetected, being able to access personal and financial details of customers, believed to be around 400,000. Being able to access names, addresses, credit card numbers, expiry dates and even three-digit CVV codes on the back of the cards gave the hackers everything they needed to make fraudulent payments.

Under new GDPR regulations businesses are required to report a breach within 72 hours of it being detected. British Airways are claiming to have reported the breach during this time-frame but were under scrutiny for failing to take all the necessary measures to protect personal data in the first instance.
Customers started to notice unusual account activity before the airline announced the attack and many customers found out about the breach through social media and news reports rather than direct contact from British Airways themselves.

Under the new regulations companies can incur a fine of £17million of 4% of their annual turnover (whichever amount is greater). British Airway’s 2017 turnover was £12.2 billion which meant they could have faced fines of up to £500million.
‘Luckily’ The Information Commissioner’s Office (ICO) settled on a final fine amount for British Airways amounting to a mere £183million.
At the moment it is unclear of the financial implications for customer compensation, if any is to be provided.

This is the first penalty to be made public and the largest fine to date regarding data breaches.
The airline now has 28 days to appeal the decision.

Other fines include £500,000 to Facebook regarding a data breach, but this was before the GDPR regulations came into play and the maximum fine level was increased. Dixons Carphone Warehouse came under fire last year due to exposing the data of 6million customers, at the time expecting to receive fines of up to £400million.

Let’s take a look at how the breach may have occurred and how AppCheck can help your organisation to stay ahead of attacks like this.

How did the breach occur?

Hackers managed to gain access to financial data of 400,000 customers.

Although full details have not been released, it is believed that users accessing the British Airways site during this period were re-directed to a fraudulent site where hackers could collect their details. This is thought due to the fact hackers were able to access CVV details and that the data was collected during a specific time-frame. Had hackers simply gained access to database information they would not have CVV details, as BA claim this in not something that is stored. Also many more details could have been accessed going back much further than the 2 week window.

Last year a similar attack occurred on Ticketmaster, being targeted by a group known as ‘Magecart.’
Ticketmaster themselves were not the targets but a third-party linked to the site (Inbenta) where the hackers managed to replace a custom JavaScript module with code for their online skimmer.
The group conducted wide-spread online card-skimming activities affecting over 800 e-commerce sites globally, being able to lift financial information as it was input into the site.
Although similar, the attack on British Airways is believed to have been more tailored and targeted to the company’s specific infrastructure.

How can a tool like AppCheck help?

AppCheck includes a number of tools and plugins to help manage the risk on these types of attack to detect compromised external 3rd party scripts and also raise awareness of third party scripts in use in your application. This helps detect card skimming applications even when you cannot use script integrity hashes because the vendor does not support them.

As well as this AppCheck will also detect known bad neighbours (hosts known for malicious activity) found within scripts and any potential sinks for execution via static analysis.

More Information

As always if you would like more information on this, please do get in contact with us at: info@appcheck-ng.com

Get started with Appcheck

No software to download or install.
Contact us or call us 0113 887 8380

Start your free trial