Details of up to 185,000 more passengers may have been compromised in data breach

Details of up to 185,000 more passengers may have been compromised in data breach

The Guardian online has reported how there may be as many as 185,000 further victims in the recent data breach to hit British Airways, in an ongoing incident that stretches back to spring of this year.

In a statement to the stock market, International Airlines Group which owns BA said that customers who booked using their flight reward payment card between 21st April and 28th July this year may have had their details stolen.

News broke last month of the airline’s confirmation that 380,000 pay card details could have been compromised, but this estimate was revised down last week to around the 244,000 figure.

British Airways have said that the among private details that may have fallen into hackers’ hands are names, real addresses, email addresses, card numbers, expiry dates and CVV numbers of a further 77,000 travellers.

The details of up to 108,000 more customers may have been stolen, not including the CVV code on the reverse side of payment cards.

Keen not to disrupt the ongoing police probe, the iconic UK carrier has not released details of how the breach happened. However, IAG has said that “conclusive evidence” does not exist that the data has been “removed from its systems”. The group has, however, told customers to speak with their bank or card provider as a precautionary measure.

While BA has not yet said whether or not fraud has taken place in wake of the breach, IAG has underlined its continued efforts to collaborate with specialist cyber forensic investigators and the National Crime Agency to get to the bottom of the blunder.

Having previously vowed to compensate victims of the breach, Alex Cruz, chairman and chief executive of British Airways spoke of his deep regret of the situation as it has unfolded. In September, Mr Cruz took the opportunity to say that he takes “the protection of customer data very seriously”.

The hack is one more in a line of critical IT problems for the airline; an infrastructural failure in May of last year kept planes grounded for 24 hours at Heathrow and Gatwick airports.

How the hackers got in?

Following the breach, a study conducted by IT security firm, Securonix, highlights card-skimming as a potential technique used by the hackers. The technology, used against other major victims including Ticketmaster, works through the installation of malicious customised JavaScript on the targets website, the betanews website reports.

“This can be done directly by compromising the victim’s site, or indirectly by compromising a third-party component used by the victim – replacing the original, legitimate JavaScript, with the malicious version,” betanews says.

It is likely that the BA website’s content was the door for the attack. Some versions of the technology include a “special tripwire code” that identifies development tools to view the source of the scripts, and which then sends back the IP address to the hackers, the time-zone and additional infrastructural details.

Know the risks

Malicious attacks of this nature are part and parcel of business life in today’s data economy, but new legislation, such as the General Data Protection Regulation (GDPR) has put new pressure on organisations to make data security an everyday concern so that private consumer details stay safe.

Whatever point your company is at on the journey to GDPR compliance, answers can be obtained on all the key issues at Data Protection World Forum (DPWF) coming to London’s Excel arena on November 20th and 21st.

Among a roster of leading authorities on data protection are a number of cyber security specialists including:

  • Darron Gibbard, Managing Director for EMEA North at Qualys
  • Charlie McMurdie, Senior Cyber Crime Advisor at PWC
  • Rosalind Goodfellow, Head of Domestic Data Protection Policy at the Department for Digital, Culture, Media & Sport
  • Chris Combemale, CEO of the DMA
  • James Felton Keith, President of the Data Union
  • Guy Johnson, Head of Data Governance at Marks & Spencer

Free-to-access content theatres include:

  • ISF Pavilion Cyber Security & Risk Management
  • GDPR Advanced
  • Marketing & Advertising
  • GDPR Refresh sponsored by TrustArc & BigID
  • Speakers’ Corner in association with Cyber Talks

Each theatre features a packed two-day agenda of keynotes and panel discussions held by global authorities in data protection, exclusively at Data Protection World Forum at London’s Excel arena on 20th and 21st November.

Register for free today.

Book your free pass today!


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.