On Sep. 7, UK ICO, NCSC update on British Airways data breach.
- Confirmed British Airways had made them aware of an incident, enquiries ongoing.
BA Response
- CEO Alex Cruz said hackers carried out a sophisticated, malicious, criminal attack.
- The personal or financial details of customers making bookings were compromised.
- 380k transactions were affected, but data did not include travel or passport details.
- BA committed to working with customers who have been financially affected by the attack, to compensate them for any financial hardship that they may have suffered.
Breach
- BA said breach took place between 22:58 BST on Aug. 21 and 21:45 BST on Sep. 5.
- The shares in British Airways parent group IAG closed 1.4% lower on Sep. 7, 2018.
- BA said customers affected by breach had been notified on Thursday night (Sep. 6).
- Breach only affects people who bought tickets during the timeframe provided by BA.
- Data stolen included name, email address, credit card information (ie the credit card number, expiration date and the three digit CVV code on the back of the credit card).
- BA insists it did not store the CVV numbers, prohibited under international standards.
- Since BA said attackers managed to obtain CVV numbers, security researchers have speculated that card details were intercepted, rather than harvested from database.
Potential Fine
- BA's data breach took place after introduction of the new Data Protection Act, which includes provisions of the new European General Data Protection Regulation (GDPR).
- Under the new regulations the maximum penalty for a firm hit with a data breach is a fine of either £17 mn or 4% of global turnover, whichever is the greater amount.
- In the year ended Dec. 31 2017, BA total revenue was £12.2 bn, meaning company
could face fine of around £500 mn if Information Commissioner's Office takes action.
NCSC Advice
- The NCSC issued advice for customers who have used website or mobile application.
- If you used BA website or mobile application to purchase services during the period stipulated, recommend contacting financial institution to check for irregular activity.
- Should monitor financial accounts for any suspicious transactions, customers should ensure their passwords are secure or consider changing passwords for key accounts.