A massive breach of security at British Airways, which compromised 380,000 card payments, shows that organisations of all sizes are vulnerable to cyberattacks if their security is flawed.
The theft of credit card numbers, expiry dates, street and email addresses and other personal data follows hot-on-the-heels of BA’s meltdown last year.
BA’s chief executive said the company soon discovered that bookings made between the 21st of August and 5th of September had been infiltrated by a very sophisticated, malicious criminal attack and customers were notified as soon as the breach became known.
But BA remains tight-lipped about how so much personal data was stolen – although it has assured customers that its encryption was not compromised.
The National Crime Agency is now working with BA to try and discover how the data breach occurred. Security company Avast has already suggested that the attackers targeted a gateway between the airline and the payment processor because no travel details were stolen.
Gary Jowett, from Computer & Network Consultants in Brighton, said: “After last year’s chaos for BA’s customers, this latest incident may further damage BA’s brand and impact its profits in the longer term. It’s yet more evidence of the need to frequently test out every entry point into your IT systems to ensure there isn’t a flaw. Such a weak point in the infrastructure clearly occurred in this instance which highlights the need to do regular audits and security tests such as public-facing applications which hackers will target until they find some piece of code which can be exploited for malicious purposes.”
The airline says no customer lost money as a result of the data breach but every individual customer affected immediately became a much more attractive target for future attacks.
Gary added: “The data stolen is now available for re-use or re-sale to a third party, so any business travellers affected and all other BA customers should make sure they’ve cancelled all pertinent cards and should consider changing email addresses, passwords and any other sensitive data.”