'World's favorite airline' favorite among hackers: British Airways site, app hacked for two weeks
380,000 payment cards, personal info slurped by crooks
British Airways on Thursday said it is investigating the theft of customer data from its website and mobile app servers.
"From 22:58 BST August 21 2018 until 21:45 BST September 5 2018 inclusive, the personal and financial details of customers making bookings on our website and app were compromised," the airline said in a statement on its website.
According to BA, the stolen data did not include travel or passport information. It does, however, appear to have included the personal and financial details of those booking travel via the BA website and mobile app during the affected period. As many as 380,000 payment cards were exposed to the intruders.
In a separate statement, Alex Cruz, British Airways' chairman and CEO said "We are deeply sorry for the disruption that this criminal activity has caused. We take the protection of our customers’ data very seriously."
British Airways' latest Total Inability To Support Upwardness of Planes* caused by Amadeus system outageREAD MORE
The air carrier said it will contact affected customers and advise them to inform their financial service providers about the incident. It plans to handle any financial claims on an individual basis.
BA insisted its ransacked systems have been patched up, and its website is now working normally.
As of the time of this article was filed, Google Chrome continued to report that the airline's Customer Data Theft notification webpage is not fully secure and visitors should not enter sensitive information like passwords or credit cards. The main BA landing page, however, qualified for a security lock icon.
Chrome's web developer tools indicate that, among other issues, the alert page contains a mix of secure and insecure content, the problematic element being a form that targets an insecure endpoint.
Spokespeople for British Airways declined to comment beyond their official statements. ®
- Black Hat
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Trusted Platform Module
- Zero trust