Hackers obtained the credit card details of some 380,000 British Airways travelers during a two-week data breach this summer that leaves the customers vulnerable to financial fraud, the airline says.
BA's CEO, Alex Cruz, said Friday that enough data was stolen to allow criminals to use credit card information for illicit purposes, and that police are investigating.
We know that the information that has been stolen is name, address, email address, credit card information; that would be credit card number, expiration date and the three-letter code in the back of the credit card, Alex Cruz said.
He added that no passport data had been obtained in what he called a very sophisticated, malicious criminal attack.
It advises people to contact their bank or credit card company if they used the airline's website and mobile app to make or change a booking between 10:58 p.m. London time on Aug. 21 and 9:45 p.m. London time on Sept. 5.
The recommendation does not apply to customers who bought tickets or changed reservations outside those times.
The airline promised to reimburse any financial losses suffered by customers directly because of the theft of this data.
British Airways faces another public relations nightmare as the company has advised that their mobile app and website were the target of a cyber breach which has compromised personal data, specifically the payment card information, of at least 380,000 customers.
The breach was announced on Thursday and customers affected are those who made or changed bookings on the company’s platforms over a 15-day period between 21:58 GMT on August 21 and 20:45 GMT on September 5.
British Airways CEO Alex Cruz issued an apology and appeared on various media on Friday to apologize further for the very sophisticated malicious criminal attack.
Cruz reassured customers that the sites were now secure and investigations were underway as to how the criminals accessed the payment card information of the customers, which included the three-digit CVV number on the back of credit and debit cards.
The CVV is legally not allowed to be stored by companies which is of particular concern in the investigation.
Also of concern is the length of time that the harvesting of customer details was able to continue for over two weeks, with the airline only noticing something was awry on Wednesday night and concluding the serious extent of the criminal activity on Thursday.
Emirates President Sir Tim Clark was speaking at the annual Aviation Festival in London on Friday and offered his rivals some words of consolation saying that BA was dealt a dose of bad luck.
Sir Tim added that airlines can expect further breaches as digital transformation of the business increases.
He said, At Emirates we have strengthened and added resources to the cyber security units. The fact is if you do not spend time and money you are going to be hugely exposed.
IT news site The Register quoted an unnamed expert as saying the cause of the breach may probably come down to either not having an update tested before it goes live, cost-cutting resulting in the site not being tested as often as it should have been or lower quality support, not patching the servers.
The site also reported that on August 1 BA’s Group IT Service Effectiveness Manager had advised staff that management had approved a proposal to outsource the airline’s cyber security to IBM and that a consultation process with affected staff would be initiated.
BA has been under scrutiny in the last few years for the cost-cutting measures and business model changes which have been implemented across the airline under Cruz.
With regard to those customers affected by the breach, Alex Cruz said that: we will compensate them for any financial hardship that they may have suffered.
What that compensation will be is yet to be determined with BA customers taking to social media to express their anger and frustration against the airline.
Affected customers should first seek advice from their bank, then monitor bank and credit card statements closely for signs of possible fraudulent activity.
There could be possible phishing scams in which hackers would try to trick affected consumers into revealing personal information like pincodes or banking passwords.
Some customers are relating stories of being stranded in foreign countries without access to funds as their banks have advised them to cancel their payment cards.
Further concern is being raised of the opportunities the criminals have to use the data obtained in a myriad of fraudulent practices such as creating fake accounts with other companies.
Some angry travelers complained that they had already noted bogus activity on credit cards that had been used to make British Airways bookings during the time when the breach was undetected.
The hack once again puts the spotlight on the strength of the IT systems at major companies as they expand their digital services.
British Airways experienced an IT-related crisis in May last year when roughly 75,000 passengers were stranded after the airline cancelled more than 700 flights over three days because of system problems.
In the UK, the incident is also being investigated by the Information Commissioner’s Office; the National Crime Agency; and National Cyber Security Centre.
If BA is found to be in breach of recent EU GDPR legislation, introduced in May, they may face a fine equivalent to four percent of their annual global revenue.
For the airline, this would equate to £489m in addition to the passenger compensation.
When attempting to access BA’s online Media Center on Friday afternoon to retrieve further updates on the situation, users are prevented from doing so and faced with a Privacy Error message which reads: Attackers might be trying to steal your information from mediacentre.britishairways.com (for example, passwords, messages or credit cards).
In the U.S., Delta Airlines said in April that payment-card information for several hundred thousand customers could have been exposed by a malware breach months earlier.
The same breach also hit Sears Holdings Corp., which operates Kmart stores.
British Airways revealed the new hack Thursday evening and began notifying customers.
Britain's National Crime Agency says it is investigating.
Tourism Observer
No comments:
Post a Comment