Summary
Highlights
The British Airways breach, while not as massive as some, affected around 400,000 people, compromising credit card information, names, and crucially, the three or four-digit validation codes. This made the stolen data immediately usable for fraudulent transactions.
This breach is significant because it's one of the first to be disclosed under Europe's new data privacy regulations (GDPR). These laws mandate disclosure within 72 hours of discovering a breach, a lightning-fast turnaround compared to the typical 90-day window in the US. This rapid disclosure allowed banks to proactively cancel and reissue cards, a big win for consumers.
British Airways was able to pinpoint what information was stolen because the attackers left a clear breadcrumb trail in their modified code. However, the short 72-hour disclosure window means that the full extent of the hack might not have been fully uncovered at the time of the initial announcement.
Companies typically do not voluntarily disclose breaches unless legally obligated. British Airways' quick action was a direct result of the new European privacy laws. Being transparent can shorten the news cycle and potentially mitigate stock price impact, but this transparency must be consistent, unlike in the case of Equifax.
The British Airways hack, being financially motivated, contrasts with espionage-driven attacks like the DNC hack. Financial hackers aim to quickly monetize stolen data, which has a short shelf life, leading to faster detection through fraudulent transactions. Espionage hackers, on the other hand, prioritize covert, long-term access to sensitive data.
The hackers modified British Airways' website code to redirect payment information to their servers, a technique known as cross-site scripting. This was a 'low-hanging fruit' vulnerability that a routine website scan could have identified, suggesting a potential weakness in British Airways' web security despite possibly strong backend IT defenses.
While the 'dark web' contains much old and often useless data, the information stolen from British Airways was current and included validation codes, making it highly valuable for immediate fraudulent use.
The British Airways attack was a real-time monitoring of input data, unlike the Equifax breach which involved extracting previously stored records from deep within their network. The rapid disclosure necessitated by GDPR offers consumers a chance to quickly check for fraudulent activity, though it may also lead to unnecessary checks.
Although British Airways only disclosed what was confirmed stolen, gaining access to manipulate website code could potentially be used as a pivot point to infiltrate deeper into the company's network. However, hacking an airline's website or IT systems is entirely different from a direct attack on a plane's operational systems, which remains a highly complex and unlikely scenario for the typical cybercriminal.