Brendan Rizzo, technical director for HP Security Voltage (www.voltage.com) issued the following commentary on the hack of British Airways frequent flyer miles accounts:
“The limited information available about this breach suggests that it involved thousands of accounts. While this might be a small percentage of the overall number of accounts, it is large enough to raise questions about whether the attacks were the result of an attacker getting access to a large repository of authentication information, either directly from the company’s applications or servers, or via a third party partner. In either case, industry best practice should have involved the use of strong encryption or one-way hashes of user passwords which would have precluded such an attack from yielding exploitable credentials.
Stealing usernames and passwords are usually only the first step of an attack for cyber-criminals. These credentials can then give them access to additional personal information which can be used for more targeted follow-on attacks. In the case of British Airways, if someone is able to login to a user’s frequent flyer account online, they would then get access to that user’s home address, phone number, and date of birth – all of which would provide an attacker ample ammunition to conduct follow-on spear-phishing attacks, impersonation calls, and potentially online system account attacks.
This breach highlights a need for companies to place tighter controls on how user credentials are stored and protected. If data is left unprotected, it’s not a matter of ‘if’ it will be compromised – it’s a matter of ‘when.’ While there is no doubt that British Airways has top of the line security in place to guard against attacks, even the best security systems in the world cannot keep attackers away from sensitive data in all circumstances. When a company stores sensitive information about its customers, the risk is to the data itself. Therefore, a company needs to assume that all other security measures may fail, and the data itself must be a primary focus for protection – usually via encryption. It is critical to note that this protection needs to include all potentially sensitive information and not just authentication related data.
If companies adopt a data-centric model whereby the data itself is encrypted and is only ever able to be decrypted at authorised points for specific purposes, their risk to data loss would be dramatically diminished. Attackers would then only gain access to encrypted data which would be of no use to them, thereby allowing the sanctity of the sensitive data to remain intact.”
About HP Security Voltage
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.