Chat with us, powered by LiveChat

Blog

Back

Hacking Horror Stories Vol.6 – The British Airways Breach

31 Oct 2018 by Becci Velzian

This article refers to our former reporting, security, and management products. We have now integrated these products into Nova, an all-new Office 365 management platform. Find out more

Our Hacking Horror Stories finale in our Halloween series features the quintessentially British institution that is airline company British Airways. They were the victims of a malicious data breach where the hackers took off with their valued customer’s sensitive data.

British Airways is the UK’s biggest airline which flew 42,784,528 passengers to over 200 destinations and 75 countries around the globe in 2017. The flag carrier is the UK’s national airline and often flies members of government and sovereign. British Airways prides itself on their exceptional high-standard customer service and impeccable flight punctuality. Many British Airways customers are members of their loyalty scheme where they receive Avios points on every flight, which can accumulate to include benefits like first class treatment and global access to premier lounges.

The BA Breach

On September 7th, 2018, British Airways boss Alex Cruz announced that the National Airline had been hacked in a “sophisticated, malicious and criminal attack” where the data of 380,000 people had been stolen between 22:58 BST on 21st August – 5th September. Cruz was extremely apologetic for the criminal activity and said they were going above and beyond to recover the hack. You’ve got to hand it to BA, their punctuality on announcing this attack (once they identified it) was undoubtedly efficient for its customers, especially in comparison with other companies like Uber.

The soaring airline company initially thought the hackers had stolen 380,000 payment cards, however, after further investigation, they found the stolen data amounted to 77,000 payments cards with all the relevant details and CVV numbers. In addition to that, a further 108,000 card details were also stolen but without additional payment information. The BA investigation was fittingly sky-high; they were able to give specific information on the customers affected, which in this case was anyone who had booked a flight with their Avios points or a payment card between April 21st – July 28th.

Whodunnit?

It has been speculated this was the professional and devious work of cybergang Magecart. The criminal group is notorious for using tactics such as brute-force password cracking of front-end systems to compromise e-commerce sites, which is essentially where they log on to unsecured sites and “digitally skim” for credit card details. Magecart was also responsible for attacks on websites such as Ticketmaster. Although British Airways and its customers have been victims of a specialized cybergang equipped with powerful technology, this attack could have been avoided. They could have upped their security measures and ensured their payment forms were more secure and monitored their website logins accordingly.

The repercussions of this attack for British Airways means that they could be subject to some soaring fines under the new GDRR legislation, paying up to 4% of their turnover of £1.43billion last year. That is a hell of a lot of air miles!

How could this cyber-attack have been avoided?

The premium airline could have avoided this data breach had the proper security auditing measure been taken. Using tools like Radar for Security & Audit would have enabled British Airways to investigate the security incident, identify the cause and act accordingly.

British Airways suffered from a brute force attack from cybergang Magecart. If this activity was happening in an Office 365 tenant, our tool Radar for Security & Audit would identify external attacks on the environment such as brute force attacks or user credential leaks by monitoring anomalous events. This also includes obstructing popular hacker activities like Magecart’s other tactic, known as ‘password skimming’. The screenshot below demonstrates one way of identifying a potential attack:

Our Failed Events report keeps a detailed log of all failed login activity, showing where in the world it is coming from. As you can see above, these login failures are from China. If none of your employees is currently in China, you know that you’re looking at brute force activity, and you’ve got a potential problem on your hands. Radar Security & Audit keeps track of all user activity in Office 365, which means it shows successful logins after many failures, precisely how many password attempts have taken place, suspicious user locations, and irregular sign-in activity. This enables you to quickly see which accounts have been compromised and take action to avoid data leakage.

If you want to see how advanced Office 365 security reporting and analytics can help you better understand and protect your environment, why not explore our live demo, or sign up for a free 14-day trial?