British Airways Investigating 'Sophisticated' Hack That Hit 380,000 Clients

Airline British Airways (BA) revealed yesterday that it was investigating a worrisome and sophisticated cyber attack. The criminal breach is presumed to have put at risk the financial and personal details of around 380,000 clients.

We are investigating the theft of customer data from our website and our mobile app, as a matter of urgency. For more information, please click the following link:https://t.co/2dMgjw1p4r

— British Airways (@British_Airways) September 6, 2018

Sophisticated and malicious

BA Chairman and Chief Executive Alex Cruz told Reuters that the firm had been infiltrated in a “very sophisticated, malicious criminal” cyber attack and that it was “deeply sorry” for the disruption. Cruz revealed that the criminals had not managed to break BA’s encryption, but did not disclose how they gained access. 

[see-also]

Meanwhile, BA's statement revealed that "the information compiled in the hack included names, street addresses, email addresses, credit card numbers and expiration dates, and credit card security codes." Luckily, customer travel plans and passport numbers were not affected.

Senior Security Lead at cybersecurity firm X Infotech Jurijs Rapoports told IE that this is not the first time that a company has suffered such a large scale data breach and that several airlines have already been hacked before. The important thing now, said the cybersecurity expert, is for the firm to take this opportunity to improve their security measures.

"Security should be a key part of all company processes or such incident will be repeated," said Rapoports. That sentiment was echoed by Senior Cybersecurity Consultant for cybersecurity firm GBProtect Mark Hellbusch.

"It's critical for companies to continuously test their public facing applications and landscape on a routine basis to identify vulnerabilities. Bad actors are constantly testing such applications until they find a vector that can be exploited and utilized in a malicious manner," Hellbusch told IE.

A proactive approach

For now, BA has said they have reached out to all those affected by the breach to apologize and will be issuing reimbursements for any financial losses incurred as a result of the hack. "No British Airways customer will be left out of pocket as a result of this criminal cyber attack on its website, ba.com, and the airline's mobile app," read the firm's statement. 

The carrier also said they were investigating the event with the police and cyber specialists, and had reported it to the Information Commissioner. The attack comes only 15 months after BA was hit by a massive computer system failure at London’s Heathrow and Gatwick airports. The disruption, that saw 75,000 passengers stranded over a holiday weekend, was later reported to have been due to human error.

BA, however, was quick to issue a video of Cruz apologizing to customers for the inconvenience and reassuring them that the firm was working "tirelessly" to resolve the issue as soon as possible. The firm also expedited full refunds for customers wishing to cancel their flights.

pic.twitter.com/E7B5im0C09

— British Airways (@British_Airways) May 27, 2017

Willie Walsh, the head of BA's parent company, IAG, later admitted that the airline had suffered some reputation damages due to the mishap, but insisted the firm was working hard to overcome them. "We recover from these, we work hard to recover,” he said.

It seems that the carrier is responding well to particularly difficult circumstances. Considering that security breaches are on the rise, we may want to cut them some slack.