Digital Defense: British Airways Hack (09/13/18)

Share

Summary

This episode of Digital Defense discusses the 2018 British Airways data breach, its implications under the new European data privacy regulations (GDPR), and how it compares to other major hacks. The speaker, Jordan Robertson, explains the technical nature of the attack, the prompt disclosure by British Airways, and the role of new privacy laws in protecting consumers.

Highlights

The British Airways Data Breach and its Scale
00:00:26

The British Airways breach, while not as massive as some, affected around 400,000 people, compromising credit card information, names, and crucially, the three or four-digit validation codes. This made the stolen data immediately usable for fraudulent transactions.

Impact of New European Data Privacy Regulations (GDPR)
00:02:13

This breach is significant because it's one of the first to be disclosed under Europe's new data privacy regulations (GDPR). These laws mandate disclosure within 72 hours of discovering a breach, a lightning-fast turnaround compared to the typical 90-day window in the US. This rapid disclosure allowed banks to proactively cancel and reissue cards, a big win for consumers.

How British Airways Knew What Was Taken
00:09:54

British Airways was able to pinpoint what information was stolen because the attackers left a clear breadcrumb trail in their modified code. However, the short 72-hour disclosure window means that the full extent of the hack might not have been fully uncovered at the time of the initial announcement.

Why Companies Disclose Breaches
00:13:05

Companies typically do not voluntarily disclose breaches unless legally obligated. British Airways' quick action was a direct result of the new European privacy laws. Being transparent can shorten the news cycle and potentially mitigate stock price impact, but this transparency must be consistent, unlike in the case of Equifax.

Difference Between Financial Hacks and Espionage
00:16:20

The British Airways hack, being financially motivated, contrasts with espionage-driven attacks like the DNC hack. Financial hackers aim to quickly monetize stolen data, which has a short shelf life, leading to faster detection through fraudulent transactions. Espionage hackers, on the other hand, prioritize covert, long-term access to sensitive data.

The Simplicity of the Attack and British Airways' Security
00:20:02

The hackers modified British Airways' website code to redirect payment information to their servers, a technique known as cross-site scripting. This was a 'low-hanging fruit' vulnerability that a routine website scan could have identified, suggesting a potential weakness in British Airways' web security despite possibly strong backend IT defenses.

Value of Current vs. Old Data
00:21:48

While the 'dark web' contains much old and often useless data, the information stolen from British Airways was current and included validation codes, making it highly valuable for immediate fraudulent use.

Distinguishing Different Types of Attacks
00:24:02

The British Airways attack was a real-time monitoring of input data, unlike the Equifax breach which involved extracting previously stored records from deep within their network. The rapid disclosure necessitated by GDPR offers consumers a chance to quickly check for fraudulent activity, though it may also lead to unnecessary checks.

Potential for Deeper Access and Airplane Security
00:26:31

Although British Airways only disclosed what was confirmed stolen, gaining access to manipulate website code could potentially be used as a pivot point to infiltrate deeper into the company's network. However, hacking an airline's website or IT systems is entirely different from a direct attack on a plane's operational systems, which remains a highly complex and unlikely scenario for the typical cybercriminal.

Recently Summarized Articles

Loading...