British airways has warned customers that about 3 lakh 80 thousand card payments on its website and app were compromised. According to BA, the breach relates to bookings made between 10:58 pm on 21st August 2018 and 9:45pm on 5th September.
If you have booked a ticket during the above period of breach, British Airways said it is in the process of contacting all effected customers and advising them to contact their bank or card provider and follow their advice. Accordingly to British Airways the incident has been resolved and all systems are working normally.
Though British Airways has not revealed any technical details about this breach, but security experts do have some suggestions on possible methods used.
Personal information including name, email addresses, credit card details, which include credit card number, expiry date and the three digits CVV code where stolen by the hacker. But how could this be possible?
Since the CVV code was stolen, it can be deduced that the breach could have happened at the point of entry, since CVV codes are not meant to be stored by companies and are only used during verification of a transaction. One of a possible way in which this could have been done is by using a script on the website which managed to intercept all the above data.
Websites have been increasingly embedding code from third party suppliers to run payment authorization, for authentication, chat, placing ad etc, it could be possible that one of these scripts, which had access to the above data could be vulnerable or compromised. It could also be possible that an insider, who had access to the system, may have tampered with the website and placed the malicious code.
The real reason of compromise will only be known once British Airways reveals the details. Such details could help other enterprises to re-audit their security and improve it.
GajShield Security team will keep you updated with the latest details on the British Airways breach and also guide on how enterprises can improve their security to prevent such breaches.