British Airways fined £20m for Magecart hack that exposed 400k folks' credit card details to crooks

Airline was saving domain admin creds and card details alike in plaintext


British Airways is to pay a £20m data protection fine after its 2018 Magecart hack – even though the Information Commissioner’s Office discovered the airline had been saving credit card details in plain text since 2015.

The fine, announced this morning by the UK's data watchdog, is almost exactly at the reduced £19.8m level that BA parent company the International Airlines Group had expected back in August.

“The failures are especially serious in circumstances where it is unclear whether or when BA itself would ever have detected the breach,” thundered the ICO today. It also condemned BA’s claims during fine negotiations that credit card data breaches are “an entirely commonplace phenomenon” and “an unavoidable fact of life”.

The airline's spokesman told The Register: “We alerted customers as soon as we became aware of the criminal attack on our systems in 2018 and are sorry we fell short of our customers’ expectations. We are pleased the ICO recognises that we have made considerable improvements to the security of our systems since the attack and that we fully co-operated with its investigation.”

British Airways’ internal payments systems were accessed by malicious people in June 2018, as we reported at the time. Some 380,000 people’s credit and debit card details were stolen as a result.

Alarmingly, the ICO’s redacted fine notice published today (PDF) revealed not only that the airline was compromised through a Citrix vulnerability but that it had been saving card details without any encryption at all – a huge no-no.

No MFA and plain text domain admin creds

The attackers began by compromising a BA network account issued to an employee of cargo-handling firm Swissport. That employee, based in Trinidad and Tobago, did not use multi-factor authentication (MFA) and the airline didn’t require it. Although the ICO report was heavily redacted at this point, the attacker then entered a Citrix environment and was able to escape from it onto the wider BA network, having “successfully copied a number of tools into the Citrix environment from outside the network.”

While carrying out network reconnaissance, the attackers hit the jackpot: the username and password for a Windows domain administrator account, “stored in plain text, in a folder on the server”.

The miscreants also found a database admin username and password later in their spree.

Although their next steps were redacted out of the report, the attackers eventually gained access to server logs that contained plaintext details of payment cards.

The ICO said: “The logging and storing of these card details (including, in most cases, CVV numbers) was not an intended design feature of BA’s systems… it was a testing feature that was only intended to operate when the systems were not live, but which was left activated when the systems went live.” Those logs were stored for three months.

From there, the attackers discovered source code for the BA website and planted a card skimmer on the payments page used by the general public. Infosec firm RiskIQ reckoned, back in 2018, that the hack was the work of the Magecart payments theft gang.

Part of BA’s mitigation included deploying Crowdstrike’s Falcon tool across its systems.

Fine is 11 per cent of original penalty

Information Commissioner Elizabeth Denham floated a £183m fine in July last year, saying at the time: “People's personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

As BA and IAG’s lawyers made representations to get the fine reduced, the COVID-19 pandemic struck – and as the ICO stopped enforcing data protection laws in the early part of 2020, it started issuing deadline extensions to BA.

The data watchdog said the fine had been reduced by £4m to take BA’s coronavirus financial situation into account, justifying this by pointing to IAG revenues in excess of £12bn in FY2017 – long before the pandemic tore the heart and lungs out of the air travel industry. COVID-19 and resulting government prohibitions have forced the premature retirement of BA's iconic Boeing 747 fleet.

The fine reflects IAG’s H1 CY2020 loss (PDF) of 1.9 billion euros, and the fact that the airline group has had to mortgage “old and new aircraft” to raise another 2.2bn euros in cash with which to ride out government travel bans linked to COVID-19.

BA's sprawling IT estate, interfacing with multiple third parties all over the world, has a reputation for falling over at inconvenient moments. Such problems aren't helped when incompetent contractors play "let's pull all the levers" with data centre power supplies. ®


Biting the hand that feeds IT © 1998–2020