More bad news for British Airways, after its ticket system left hundreds of people stranded in airports due to IT failures last week, now a security bug has been discovered in its e-ticketing system, which has the potential to expose passengers’ data, including flight booking details and personal information. The researchers have estimated 2.5 million connections were made to affected British Airways domains over the past six months, so it could have a significant potential impact. More information about the story can be found here.
This is a classic example for taking user experience over cyber-security. Especially in the online world, consumers are requesting new innovative, streamlined ways to manage their accounts and bookings and companies have to be on-par with their demands to retain market share. To find a balance between fast adoption and data protection can be a tough job. While it’s always easier to implement new solutions without taking security into consideration, the growing risk of breaches along with new and stricter regulations all around the world, make sophisticated data protection a must.
This incident, so soon after the devastating data breach that British Airlines recently suffered, shows that many companies are still not getting the cybersecurity basics right. To protect their data, companies should – at the least – encrypt all sensitive data and the keys to decrypt the data should not be stored with the solution or host database itself. Organisations should also consider modern cybersecurity technology that uses artificial intelligence (AI) and machine learning (ML) to identify behavioral anomalies that are indicative of an illicit user on the network. With machine learning algorithms, it’s possible to spot behaviour that’s outside the range of normal activities and intervene before it’s too late.
Sending unencrypted emails with authentication data in the URL is certainly far from good security practice and, given the recent British Airways fines proposed by the ICO, it does not paint a good picture.
However, in order for this attack to be successful, the attacker needs to be connected to the same WiFi network as the victim in order to intercept the email and view the booking. Because of this, the threat is reduced somewhat.
British Airways will likely fix the issue soon, but it\’s a reminder to users that they should exercise caution when connecting to public wifi hotspots.
This is a classic example of what is described as Sensitive Data Exposure in the OWASP top ten. It is not just at risk of being captured in-transit, but it could well be that this data is also stored in plain text on systems that process the request. Meaning the data could have been stored in for example logs, waiting for an attacker to find it.
When building a customer facing application, the focus is too often on usability, scalability and performance, and security can be a bit of an afterthought. Yet what is forgotten is just how sensitive the data being stored is – after all, your passport is one of, if not THE most, expensive and trusted government documents you own. Yet while it is common practice for airlines to use third party penetration testing for their hardware and critical flight services, they often test their online services and applications in-house using teams that are often under pressure from IT to meet strict time deadlines; meaning things slip through the gaps. Employing an experienced third party, one that can think like a hacker, will help to ensure any such vulnerabilities are discovered in the test phase, before any customers have started to use it – helping companies to avoid embarrassment and more importantly ensuring customer data remains safe.