More Problems For British Airways – Now An e-ticketing Vulnerability Has Been Discovered

More bad news for British Airways, after its ticket system left hundreds of people stranded in airports due to IT failures last week, now a security bug has been discovered in its e-ticketing system, which has the potential to expose passengers’ data, including flight booking details and personal information. The researchers have estimated 2.5 million connections were made to affected British Airways domains over the past six months, so it could have a significant potential impact. More information about the story can be found here.

Experts Comments

August 15, 2019
Felix Rosbach
Product Manager
comforte AG
This is a classic example for taking user experience over cyber-security. Especially in the online world, consumers are requesting new innovative, streamlined ways to manage their accounts and bookings and companies have to be on-par with their demands to retain market share. To find a balance between fast adoption and data protection can be a tough job. While it’s always easier to implement new solutions without taking security into consideration, the growing risk of breaches along with new.....Read More
This is a classic example for taking user experience over cyber-security. Especially in the online world, consumers are requesting new innovative, streamlined ways to manage their accounts and bookings and companies have to be on-par with their demands to retain market share. To find a balance between fast adoption and data protection can be a tough job. While it’s always easier to implement new solutions without taking security into consideration, the growing risk of breaches along with new and stricter regulations all around the world, make sophisticated data protection a must.  Read Less
August 15, 2019
Javvad Malik
Security Awareness Advocate
KnowBe4
Sending unencrypted emails with authentication data in the URL is certainly far from good security practice and, given the recent British Airways fines proposed by the ICO, it does not paint a good picture. However, in order for this attack to be successful, the attacker needs to be connected to the same WiFi network as the victim in order to intercept the email and view the booking. Because of this, the threat is reduced somewhat. British Airways will likely fix the issue soon, but it's a.....Read More
Sending unencrypted emails with authentication data in the URL is certainly far from good security practice and, given the recent British Airways fines proposed by the ICO, it does not paint a good picture. However, in order for this attack to be successful, the attacker needs to be connected to the same WiFi network as the victim in order to intercept the email and view the booking. Because of this, the threat is reduced somewhat. British Airways will likely fix the issue soon, but it's a reminder to users that they should exercise caution when connecting to public wifi hotspots.  Read Less
August 13, 2019
Cesar Cerrudo
CTO
IOActive
When building a customer facing application, the focus is too often on usability, scalability and performance, and security can be a bit of an afterthought. Yet what is forgotten is just how sensitive the data being stored is – after all, your passport is one of, if not THE most, expensive and trusted government documents you own. Yet while it is common practice for airlines to use third party penetration testing for their hardware and critical flight services, they often test their online.....Read More
When building a customer facing application, the focus is too often on usability, scalability and performance, and security can be a bit of an afterthought. Yet what is forgotten is just how sensitive the data being stored is – after all, your passport is one of, if not THE most, expensive and trusted government documents you own. Yet while it is common practice for airlines to use third party penetration testing for their hardware and critical flight services, they often test their online services and applications in-house using teams that are often under pressure from IT to meet strict time deadlines; meaning things slip through the gaps. Employing an experienced third party, one that can think like a hacker, will help to ensure any such vulnerabilities are discovered in the test phase, before any customers have started to use it – helping companies to avoid embarrassment and more importantly ensuring customer data remains safe.  Read Less
August 15, 2019
Saryu Nayyar
CEO
Gurucul
This incident, so soon after the devastating data breach that British Airlines recently suffered, shows that many companies are still not getting the cybersecurity basics right. To protect their data, companies should - at the least - encrypt all sensitive data and the keys to decrypt the data should not be stored with the solution or host database itself. Organisations should also consider modern cybersecurity technology that uses artificial intelligence (AI) and machine learning (ML) to.....Read More
This incident, so soon after the devastating data breach that British Airlines recently suffered, shows that many companies are still not getting the cybersecurity basics right. To protect their data, companies should - at the least - encrypt all sensitive data and the keys to decrypt the data should not be stored with the solution or host database itself. Organisations should also consider modern cybersecurity technology that uses artificial intelligence (AI) and machine learning (ML) to identify behavioral anomalies that are indicative of an illicit user on the network. With machine learning algorithms, it’s possible to spot behaviour that’s outside the range of normal activities and intervene before it’s too late.  Read Less
August 15, 2019
Hugo van Den Toorn
Manager, Offensive Security
Outpost24
This is a classic example of what is described as Sensitive Data Exposure in the OWASP top ten. It is not just at risk of being captured in-transit, but it could well be that this data is also stored in plain text on systems that process the request. Meaning the data could have been stored in for example logs, waiting for an attacker to find it.

Submit Your Expert Comments

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Write Your Expert Comments *
Your Registered Email *
Notification Email (If different from your registered email)
* By using this form you agree with the storage and handling of your data by this web site.