 |
The incident took place when BA's systems were compromised by its attackers, and then modified to harvest customers' details as they were input.
In summer 2018, a data breach affected almost 500,000 customers of British Airways, of which almost 250,000 had their names, addresses, credit card numbers and CVV cards stolen. The attack gained access to British Airways systems via the account of a compromised third party and escalated their account privileges after finding an unsecured administrator password. The attacker stole data that British Airway's was improperly recording and also redirected users of British Airways site to a bogus one that was designed to steal more data. In October 2020 the ICO fined British Airways £20 million for breaches of GDPR related to the breach.
British Airways said it had alerted customers as soon as it had found out about the attack on its systems. "We are pleased the ICO recognisesthat we have made considerable improvements to the security of our systems since the attack and that we fully co-operated with its investigation," said a spokesman. Data protection officer Carl Gottlieb said that in the current climate, £20m was a "massive" fine.
It was a testing feature that was only intended to operate when the systems were not live, but which was left activated when the systems went live.BA has explained that this card data was being stored in plaintext (as opposed to in encrypted form) as a result of human error. This error meant that the system had been unnecessarily logging payment card details since December 2015.
British Airways said the attack affected bookings from 21 August 2018 to 5 September 2018 with credit card details of around 380,000 total customers being compromised. The attackers obtained names, street addresses, email addresses, credit card numbers, expiration dates and card security codes enough to allow thieves to steal from accounts. 77,000 customers had their name, address, email address and detailed payment information taken, while 108,000 people had personal details compromised which did not include CVV numbers.
Of the 500,000 victims of the breech, 250,000 had their names, addresses, card numbers, and CVV numbers taken. The remainder of the victims lost less personal information.[1] British Airways urged customers to contact their banks or credit card issuer and to follow their advice.[3] NatWest said that it received more calls than usual because of the breach.[3] American Express said that customers would not need to take any action and that they would alert customers with unusual activity on their cards
Main website for more info : https://www.britishairways.com/travel/home/public/en_ca/
No comments:
Post a Comment