Dan Kitwood/Getty Images
show image

British Airways breach affected another 185,000 customers

British Airways’ investigation into its summer data breach has revealed that a further 185,000 customers’ personal information was stolen earlier in the year.

On Thursday (26 October), the airline confirmed that an additional 77,000 customers’ personal data and card information, including three digit CVV security codes, were stolen between mid April and late June. A further 108,000 customers’ details were stolen without the CVV code.

“While we do not have conclusive evidence that the data was removed from British Airways’ systems, we are taking a prudent approach in notifying potentially affected customers, advising them to contact their bank or card provider as a precaution,” BA said in a statement. “Customers who are not contacted by British Airways by Friday 26 October at 1700 GMT do not need to take any action.””

BA also revised down the number of payment card details suspected to be affected in the previously disclosed breach. The airline had originally said that 380,000 details were exposed, but its investigation revealed that of those only 244,000 were affected. It said there were no “verified cases of fraud”.

In an interview with the BBC in early September, chief executive Alex Cruz described the attack as “sophisticated” and “malicious”. The airline pledged to fully reimburse customers and pay for a credit checking service.

It is illegal for businesses to store CVV numbers and BA insists it did not do so, suggesting hackers were able to intercept payments in real-time. The attack has since been linked to the Magecart group, a cyber criminal gang also thought to have been behind the other big breach of the summer: the Ticketmaster hack.

Magecart is known for a kind of attack called formjacking, in which criminals insert malicious JavaScript code into e-commerce sites to harvest their customers’ credit card details.

Research published by Symantec later in September suggested that rather than turning down the heat after its alleged hits on Ticketmaster and BA, Magecart ratcheted up its campaigns.

Since mid-August, Symantec had blocked almost a quarter of a million instances of attempted formjacking, including 88,500 during the week of 13-20 September alone, which was more than twice as many as the same week in August.

Commenting on BA’s latest admission, Rusty Carter, head of product management at Arxan Technologies, said: “Whilst the gap in their security may have been plugged back in September, it is concerning that this incident, which went on for a considerably longer period of time than the previous two-weeks, has only now been uncovered as part of an ongoing investigation by the airline, cyber forensic investigators and the National Crime Agency.

“It demonstrates that enterprises still do not have in place robust enough security to protect their backend systems and databases, or the measures in place to identify these attacks in real time and cut them off as soon as abnormal activity is detected.”