BA:s app och hemsida hackade

  • Thread starter Thread starter Homer
  • Start date Start date
H

Homer

Guest
Customer data theft



We are investigating, as a matter of urgency, the theft of customer data from our website and our mobile app the stolen data did not include travel or passport details.



From 22:58 BST August 21 2018 until 21:45 BST September 5 2018 inclusive, the personal and financial details of customers making bookings on our website and app were compromised.



The breach has been resolved and our website is working normally. We have notified the police and relevant authorities.



We are deeply sorry for the disruption that this criminal activity has caused. We take the protection of our customers’ data very seriously.

We are investigating, as a matter of urgency, the theft of customer data from our website and our mobile app. The stolen data did not include travel or passport details.





How do I know if I have been affected?



This relates to customer bookings made from 22:58 BST August 21 2018 to 21:45 September 5 2018 inclusive. We will be contacting affected customers directly to advise them of what has happened and are advising them to contact their banks or credit card providers and follow their recommended advice.

Latest information| Data Theft | British Airways
 
Alltså varje gång jag har lyckats lära mig mitt kreditkortsnummer utantill så måste jag byta. Sjukt irriterande...
 
Tolkar jag det rätt? Endast de som bokat (använt kortet) hos BA from 21/8 22.58BST tom 5/9 21.45BST är drabbade? data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7
 
Hmm


Mr Basic skrev:Tolkar jag det rätt? Endast de som bokat (använt kortet) hos BA from 21/8 22.58BST tom 5/9 21.45BST är drabbade?Klicka för att utvidga...
Click to expand...
så har jag också tolkat det. Antar att även om de kommit över kortnummer, så behövde de CCV vilket BA inte lagrar.
 
agehall skrev:Hmmså har jag också tolkat det. Antar att även om de kommit över kortnummer, så behövde de CCV vilket BA inte lagrar.Klicka för att utvidga...
Click to expand...


Tyvärr inte, jag bokade under denna period och fick mail nu på morgonen, kopierar in en del av texten här som gäller just CCV



The personal information compromised includes full name, billing address, email address and payment card information. This includes your card number, expiry date and CVV. Unfortunately this information could be used to conduct fraudulent transactions using your account. We recommend that you contact your bank or credit card provider immediately and follow their advice.
 
nissefalk skrev:Tyvärr inte, jag bokade under denna period och fick mail nu på morgonen, kopierar in en del av texten här som gäller just CCVKlicka för att utvidga...
Click to expand...
Det var precis det jag menade - de kom böra över CCV för de kort som faktiskt användes under perioden.
 
CCV sparas bara till dess att transaktionen är bekräftad, sedan ska den raderas.
 
Heter det CCV eller CVV?



Hursomhaver, eftersom CVV verkar ha hamnat i orätta händer tolkar jag det som att det är kommunikationen mellan websidan/appen och PSPn (?) som på något sätt avlyssnats och troligen då genom att injicera kod i steget innan allt betalningsdata skickas ut på nätet (för det lär vara krypterat). Det torde också förklara varför de kunder som haft sitt data sparat på siten men inte nyttjat den inte fått några varningar (som jag tolkar det).
 
Detta har alltså pågått i ca 3 veckor tills det har upptäckts... Trevligt BA data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7 Känns som att de har felprioriterat alla sin resurser på att så effektivt sätt nedgradera sin ptodukt över åren när de uppenbarligen hade lite andra områden som behövts mer fokus.
 
The Times har en intervju med en Ben Oguntala som påstås ha arbetat på BA Waterside head office fraund prevention...





“Oguntala, 44, founder of the card security company Payments & Co, said he was hired to help improve card payment security. But he discovered the airline had failed the international standard for card payments, called the payment card industry (PCI) data security standard, last year. The failure was not reported in the airline’s annual report.



One internal document presented at a BA meeting in April this year states: “British Airways holds a lot of sensitive payment card data. BA are subjected to the international security standard — PCI data security standard.



“By achieving compliance BA are proving to themselves, their customers and their supervisory bodies that BA are suitably protecting payment card data from malicious attack . . . In December 2017, BA failed to achieve PCI compliance.”



The document warned that an outdated system, ArcSight, was being used to store security data relating to card transactions. It is described in the document as “redundant”, “severely undermined” and “prone to failure”. The document is marked IAG GBS, which is the global business services division of BA’s parent company IAG.



Oguntala said he was shocked at the lax security surrounding credit and debit card payments at BA. “The security was woeful,” he said. “There was card data everywhere and there were no proper controls on where it was going and who was getting access.”



Oguntala, who worked for a team that reported to BA’s information security and compliance manager, considered the entire payment system needed to be radically overhauled — with a new security protocol known as tokenisation. He said he left after his advice was rejected.”



British Airways hack was ‘a disaster waiting to happen’ | News | The Sunday Times
 
Och där växte intrånget rätt rejält:




British Airways skrev:Dear Customer,On 6 September 2018, we regrettably announced that we were the target of a criminal data theft involving the personal and financial details of customers making or changing bookings atba.com, or via the British Airways app.Since then we’ve been conducting a thorough investigation with specialist cyber forensic investigators, liaising with the National Crime Agency. As a result of the investigation I am writing to let you know that you may have been affected by the data theft, when you made a reward booking between 21 April and 28 July 2018.While we do not have conclusive evidence that the data was removed from British Airways’ systems, it is possible your personal data may have been compromised. This includes your full name, billing address, email address and payment card number, expiry date and CVV. As a precaution we recommend you contact your bank or card provider and follow their advice.We are very sorry that this criminal activity has occurred. We’ll reimburse our customers who have suffered financial losses as a direct result of the theft of their payment card details. We’ll also offer credit rating monitoring, provided by specialists in the field, to any affected customer who is concerned about an impact to their credit rating.Action you need to takeWe take the protection of your personal information very seriously and would encourage you to review the advice below:1. British Airways will never proactively contact you to request your personal or confidential information. If you ever receive an email or call, claiming to be from us, requesting this information, please report it to us straight away.2. Review your credit card or bank account statements as soon as you can to check for unauthorised transactions or payments. If you suspect fraud, contact your bank immediately.3. Do not respond to or follow any web links from untrusted sources.Once again, we truly apologise for any worry and inconvenience this criminal activity has caused. Our contact numbers can be found atba.com, or you can email our Data Protection Officer at[email protected].Klicka för att utvidga...
Click to expand...
 
You must log in or register to reply here.
Back
Top