Security Experts Comments – British Airways Data Breach (second series)

News broke late last night that 380,000 sets of critical information from BA customers had been stolen. The airline said personal and financial details of customers making bookings had been compromised. BA said the breach took place between 22:58 BST on 21 August and 21:45 BST on 5 September. IT security experts commented below.

Mayur Upadhyaya, Managing Director, EMEA at Janrain:

“The British Airways breach demonstrates the level of sophistication attackers are now capable of. One of the inherent challenges seen in the industry is dealing with non-brutish types of attacks (DDoS, bot, etc) and how these targeted attacks fit into your detection system. Another potential challenge, is how many of these consumer facing systems are architected. With both British Airways and Air Canada (only last week), it would seem that organisations are still not centralising customer data in a single location, so that it is easier to manage and secure.  It’s also possible that these systems over replicate customer data into multiple repositories, rather than referring back to a governed and secured single solution. Systems, tools and applications that have access to customer data, need fine grain and granular control over which attributes they can access in the clear. As details emerge about both these airlines, many in the industry will be watching with interest, to where in their solution stack the remediation work will take place.

Randhir Shinde, CEO at Galaxkey:

“British Airways is just the latest example of the threat posed by cyber-attacks. Hackers are becoming increasingly inventive, often targeting hardware such as printers, scanners and credit card machines to breach systems.

“The real danger here is not the stolen financial information and assets. These losses will be compensated. The bigger issue is that their personal information may have been compromised. Names, addresses and email addresses may not sound threatening, however this information can be the first step for hackers. The details allow them to enter email accounts, social media and ultimately do harm. All of us – businesses and individuals – have an interest in doing everything we can to protect data.”

Lewis Henderson, VP of Threat Intelligence at Glasswall Solutions:

“One crucial area that has been overlooked is encryption. This is important because the data was probably intercepted whilst ‘in transit’, and not when encrypted ‘at rest’.  There is speculation around the fact that because CCV numbers were obtained as part of the attack, it’s likely the attackers were harvesting data whilst transactions were taking place. CCV numbers are normally segregated from the full card number when it is stored.

There is also another side to encryption, as it is a powerful tool for malicious actors and not just used for protecting data.  What we are discovering is that attackers are using encryption not simply to deliver malware payloads in documents, but to also hide what they’re doing whilst inside a network – it is the ultimate stealth tactic as they are rendered invisible.

This explains why it has probably taken British Airways some time to discover the breach was even happening.  It’s entirely possible that the British Airways attackers were siphoning off significant quantities of sensitive data for weeks or months, whilst BA had no indication of their presence – this again supports the theory it was interception of data, and not a ‘smash’n’grab’ style of breach.

The other danger from encrypted payloads is it means attackers can use old malicious malware and walk in with it through the front door, and if they encounter unpatched machines then its game over.

The Cyber Security industry needs to stop interpreting the word ‘encrypted’ as ‘secure’, because it can no longer be explicitly trusted when malicious actors are using it as one of their key tactics.  How these attackers are gaining entry, their tactics once inside, and how they exfiltrate data all involves encryption – it needs a serious risk management overhaul.”

Dan Panesar, VP EMEA at Certes Networks:

“News hit the headlines today of another cyber-attack, this time involving a sophisticated breach of British Airways’ website and mobile app. The attack involved around 380,000 customer records, including credit card information being compromised – although no travel or passport details were involved.

The question being asked today is: was the stolen data encrypted? Encryption is a fundamental component of the defence in depth security model, but to be effective, encryption must enhance an organisations’ security posture, not constrain it.

This is where Layer 4 encryption comes in, which decouples encryption from the network. By encrypting data in motion and segmenting the network, even if the hackers are able to infiltrate the perimeter defences, using segmentation makes it harder for hackers to steal sensitive data, and encryption actually renders the sensitive data useless if it’s stolen.

Unfortunately, the increasing sophistication of cyber-attacks and the growing attack surface means that for any organisation with a world-wide recognised brand, it’s a question of when they’ll be breached, not if. By using encryption technology as a fundamental part of their security strategy, organisations can make sure their sensitive data is protected and keep it out of the waiting hands of the hackers. This then avoids the inevitable post-breach fallout and negative impact on a company’s brand, as seen with British Airways.”

Pravin Kothari, CEO at CipherCloud:

“Since the US has enacted breach notification laws, businesses and consumers have been made acutely aware of the risks and brand damage that result from a cyberattack, but very little has been reported from Europe. Does that mean European businesses are more secure? Not necessarily. Now, thanks to GDPR, more European breaches will be made public. Unfortunately, even though technology has kept up with the latest attack methods and preventive solutions are available, it’s taken this kind of regulation to force awareness about the critical need to invest in security to protect your data.”

Paul Bischoff, Privacy Advocate at Comparitech.com:

“With British Airway’s disclosure of hackers carrying out a malicious attack on its website and mobile app and Air Canada suffering a similar fate just last week, there’s nothing like a fresh wave of data breaches to drive home the importance of the security of customer data.

Somewhat encouraging is the admission that the BA attack did not compromise travel or passport details, but it has still had a knock-on effect to BA’s share prices, which have dropped 4% since the disclosure. Comparitech.com yesterday published its own study that looks at share prices in relation to data breach disclosures and the effects are immediate and negative. It’s a stark reminder to companies that hold personal information on customers that hackers will come for them, the question is: are they ready?”

Timothy Bedard, Director of Product Marketing – TID Solutions at OneSpan:

“As the British Airways breach details become publicly known, this is yet another reminder of reality we live in today. It is not a question of “if we get breached”, it is a question of “when we will be breached.” Well, the breach has happened and British Airways has started to notify impacted customers while trying to minimize the brand recognition hit. But, while British Airways manages the negative publicly and potential GDPR fines, the real victims in this scenario are the British Airways customers. Once fraudsters have their personal information (i.e. name, email addresses, and credit card information), they will be able to access their personal bank account(s), open new accounts in their name, or use their personal information to make fraudulent purchases. Or, they could sell their personal information to other fraudsters on the dark web.

The key lessons from the British Airlines breach are threefold – one, breaches will continue to fuel fraud, account takeover and application fraud; two, combined with poor password hygiene, fraud will continue to rise; and three, no password is safe; every password is vulnerable – so British Airwayscustomers, change your passwords today!”

Andre Stewart, VP EMEA at Netskope:

“The British Airways hack is a stark reminder to all businesses about the importance of securing customer data. In this case, fraudsters have been able to get their hands of an estimated 380,000 people’s financial information. There’s a lot of potential for innocent people to be out of pocket following this breach. In the age of GDPR, I am sure BA are very concerned at the moment.”

“That said, fear of financial penalties should not be the reasons for businesses to have solid data practices. The proliferation of cloud means more and more data is stored off-premise, and out of the control and protection of traditional security defences. Businesses need to take steps to secure sensitive customer data wherever it’s stored, building complete visibility and real-time control over data under their remit.”

Ronan David, VP, Strategy at Efficient IP:

“Alex Cruz, CEO of British Airways declared this attack as a “very sophisticated, malicious criminal attack”, and identified the time of the attack between the 21st August and the 6th September, leaving the attacker 17 days to steal payment information on an unprecedented scale. Though currently the exact attack method used is still unknown, this has all the traits of a DNS data exfiltration attack. This type of attack can be extremely difficult to detect as it closely resembles typical network traffic, meaning incidents are often not detected until long after exfiltration has already been achieved.

The DNS protocol is recognised as one of the most discrete options for cyber criminals to carry out data exfiltration, as DNS traffic is typically not analysed. This ‘careless’ attitude makes it difficult to efficiently track with existing network inspection tools, especially considering the high volume of DNS traffic.

DNS exfiltration attacks are difficult to detect for legacy systems, and if the British Airways attack is indeed DNS exfiltration, it could give validity to Mr. Cruz’s claim that it was discovered as late as it was.Our Global DNS Threat Report shows 22% of transport organisations were vulnerable to DNS tunneling and exfiltration, showing a higher vulnerability to these attacks than other industries. It also showed that the transport industry was subject to more DNS-based attacks than any other in the last 12 months. In this day and age, companies must consider security solutions specifically for DNS in order to protect their infrastructure and stored customer data.”

Andy Norton, director of threat intelligence at Lastline:

“Tonight, BA’s twitter feed is getting pummelled by concerned, disappointed and angry customers, as they still haven’t notified the impacted 380,000 clients who paid by credit card during the time window. It is also interesting to see how GDPR has raised the awareness of privacy obligations on data controllers in the minds of the consumer, though BA are currently avoiding answering whether this amounts to a GDPR breach. Often, when organisations announce a breaches they do so with the facts at that moment in time, and after deeper investigation organisations regularly find that the extent of the breach is bigger than originally stated. We will have to see if that is the case here.”

James Hadley, CEO & Founder of Immersive Labs: 

“A major target for hackers is any organisation that keeps large amounts of data on its customers. Airlines have been the subject of recent attacks as they hold a whole host of personal information from emails and passwords, through to credit card details and passport information.

Brands that hold such personal and valuable data must do better at preventing cyber attacks and make sure their skills are contually tested, as these attacks are having a major impact on brand trust. Customers are increasingly taking their security and privacy into consideration as part of the buying cycle and will gravitate towards those they are comfortable with handling and looking after their personal information.”

Tim Mackey, Technical Evangelist at Synopsys:

“GDPR has placed us in a world where disclosure of data breaches are likely to occur before the full details of the attack are known. On the positive side, companies are highly incented to improve the level of security monitoring they perform. While to the travelling public, a two week window under which the attack wasn’t properly identified as such is alarming, the reality is that absent regulations like GDPR such incidents could go undisclosed for significantly longer. It is my hope that while we see an increase in disclosures in the near term, as organisations improve their software and system security measures a marked decline in successful attacks will ensue.”

Israel Barak, Chief Information Security Officer at Cybereason:

“The British Airways breach once again sheds light on the difficulty companies have protecting the proprietary information of their customers that is their backbone. Collectively, this is a blow to our privacy and British Airways joins a growing list of organisations that have faced a knock down punch. For the consumer, they should be working under the assumption that their personal information has been compromised many times over. As an industry until we can start making cyber crime unprofitable for adversaries they will continue to hold the cards that will yield potentially massive payouts.”

Tim Erlin, Vice President of Product Management and Strategy at Tripwire:

“As is usually the case, there will be more details about the cause of the breach as time passes. It’s unfortunate that payment card details appear to have been compromised in this incident. That will increase the impact on consumers. This may prove to be an important test of the recently implemented GDPR.”

.

Jake Moore, Security Specialist at ESET:

“After a large scale incident like this, fraudsters from around the world will inevitably jump at the chance to try and catch a few unsuspecting people out. If you receive any emails purporting to be from this incident or such like mentioning it asking for any personal information or to click on unverified links, discard them.

If your data is included in this breach, you’ll need to take action to protect yourself. If you find your credit or debit card has been compromised consider the following:

• Call your bank or card issuer, cancel the card and request a new card. No bank will ever mind being contacted for you being cautious.
• You’ll also want to check your card statements for suspicious activity or purchases online – in particular small amounts just in case they are testing your card before a larger transaction is placed online. It also might be worth adding extra fraud alert security on your account.
• And it goes without saying change your BA.com password. After any breach of such velocity, it is always a good idea to change your passwords along with the same ones used on other websites.”

Bill Evans, Senior Director at One Identity:

“In what appears to be the second breach of travelers’ information in as many weeks, British Airways announced today that personal and financial details of 380,000 customers making bookings had been compromised.  This follows on the heels of a breach of the mobile app from Air Canada just last week.  As part of the breach, BA stated that travel and passport details were not stolen.

it is heartening to note that BA is working with those individuals whose card payment information was breached as well as working with authorities all seemingly aligned to the recently enacted GDPR regulation.

While it’s far too early to tell how this latest breach occurred, usually these types of cybercrimes are the result of poorly managed privileged accounts which are the accounts that have access to most, if not all, IT systems.  Protecting these accounts is perhaps the single most important security step any organization can take followed closely by multi-factor authentication and access governance.”

Gerald Beuchelt, CISO at LogMeIn:

“This attack could cause serious problems for affected customers, including damage to their finances and credit ratings. This incident, the latest in an ever growing string of breaches of trusted brands, is likely to add to a feeling that consumers are losing control of their personal data.

Whilst the breach is still under investigation, it appears to have been a sophisticated infiltration of defences and not the airline’s encryption systems. This, paired with the fact that the attack went undetected for 15 days illustrates the need for organisations to adapt and update their security controls to keep up with the fast evolving threat landscape.

Customers should also mitigate any damage by changing their passwords to something unique across all accounts and turning on multi-factor authentication where possible. Individuals and businesses should also be extra vigilant to phishing emails, as attacks like this provide the perfect opportunity for scammers to use it to their advantage.”

Chris Boyd, Lead Malware Analyst at Malwarebytes: 

“The only good thing we can say about this breach is that BA have provided a very short and specific date range where data may have been compromised. Typically, we’re lucky to get a date range of less than six months to a year, which makes a potential victim’s response to any threat difficult. This could end up being a major test of new GDPR regulations, and it’ll be fascinating to see the cause of the breach come out in the wash.”