British Airways Website, Mobile App Breach Compromises 380k

British Airways said approximately 380,000 card payments were compromised after a security breach occurred on the company’s website and mobile app in August.

According to the airline, which notified customers on Thursday, the breach compromised the personal and financial details of customers – including name, address and bank card details like CVC code – who made bookings on its website (ba.com) and the airline’s app.

No travel or passport details were stolen, according to British Airways, which is one of the U.K.’s biggest airlines.

“No British Airways customer will be left out of pocket as a result of this criminal cyber attack on its website, ba.com, and the airline’s mobile app,” a British Airways spokesperson told Threatpost via email.

“We understand that this incident will cause concern and inconvenience,” said the spokesperson. “We have contacted all affected customers to say sorry, and we will continue to update them in the coming days. British Airways will not be contacting any customers asking for payment card details, any such requests should be reported to the police and relevant authorities.”

The breach occurred between August 21 until September 5, according to the airline. It has since then been resolved and the ba.com website is working normally, according to a notice on the company’s website. British Airways did not answer further questions about the specific cause behind the breach.

The airline told Threatpost it guarantees that financial losses suffered by customers directly because of the theft of this data from British Airways will be reimbursed, and is recommending that customers contact their bank or card provider if they made a booking or change to their booking between August 21 and September 5.

British Airways continues to investigate with the police and cyber specialists, and has reported the data theft to the Information Commissioner​. The airline is also communicating with impacted customers.

It’s not the first time the company has dealt with a security crisis – in 2015, British Airways suspended users’ frequent flier accounts after “unauthorized activity” that some reports called a data breach.

British Airways is only the most recent to suffer a security incident – recent years have seen a slew of phishing campaigns and malware attacks aimed at harvesting credentials from airline customers. Last year researchers discovered a wave of email-based phishing campaigns  targeting airline consumers with messages that contain malware infecting systems or links to spoofed airline websites that trick victims into handing over credentials.

In August, Air Canada said 20,000 mobile app users have had their passport information exposed and asked users of its Mobile+ app to reset their accounts after it detected “unusual login behavior” between Aug. 22-24.

And, earlier in April, Delta said “a small subset” of customers were impacted by a data breach tied to malware planted on a third-party service. That cyberattack hit software service provider [24]7.ai, a company that provides online chat services for Delta. Those attacks began on Sept. 26, 2017 and continued through Oct. 12, according to [24]7.ai. The service provider said there systems were targeted in a malware attack, but declined to detail the nature of the incident.

But security experts are still unsure whether any of these issues could be at the root of British Airways’ incident.

Ilia Kolochenko, CEO of web security company, High-Tech Bridge praised British Airways for their rapid response to the breach – but said it is too early to make definitive conclusions around the origins of the security incident.

“Web applications are the Achilles’ heel of modern companies and organizations,” he said. “Lawmakers make their lives even more complicated, as for example with GDPR, many organizations had to temporarily give up their practical cybersecurity and concentrate all their efforts on paper-based compliance. New cybersecurity regulations may do more harm than benefit for the society if improperly imposed or implemented.”