British Airways reported that it had experienced a “sophisticated, malicious criminal attack” on its website and App resulting in its customers full credit card details being stolen between 21 August and 5th September. We explore how sophisticated this attack was, given the mandatory controls required to be Payment Card Industry Data Security Standard (PCI DSS) compliant.
The information stolen were names, billing address, email address and bank card information which included credit card number, expiration day and the CVV code, the three digit security code on the back of the credit card.
The PCI Security Standards Council International Standard prohibits the storage of the CVV number so this would suggest that the data was intercepted and stolen during the transaction stage.
British Airways have reported very precisely that data was accessed between 22.58 BST on 21st August and 21.45 BST on 5th September. This is fifteen days undetected and would lead to questions about the adequacy of monitoring in place to be able to identify this activity, a requirement under the new Data Protection Act, General Data Protection Regulation (GDPR) and the PCI Security Standards Council. In fact the breach was reported to have been discovered by an outside Partner.
Third party software scripts
Because the timings are very specific it would suggest this related to a vulnerability in some third party software script running on the BA website being exploited from the point it went live to when the breach was discovered. Though the breach may have been via third party software, BA will have had to carry out their due diligence under GDPR on any third party to ensure that they have appropriate technical and organisational controls in place. This may be very similar to the Ticketmaster breach reported in June.
It is a requirement for merchants to have quarterly in-depth external vulnerability scans called an ASV scans (Approved Scanning Vendor) which look for vulnerabilities that could impact the security of card data transactions and identify any potentially exploitable script. In addition, websites taking card payments are advised to use an iFrame or full URL to redirect to a PCI compliant payment service provider to isolate these from the rest of the website.
BA have provided their assurance that “no customer will be out of pocket as a direct result of the criminal theft of data from ba.com and the airlines mobile app”
Financial impact on BA
The potential financial impact of this on BA could be significant. Reimbursing customers, the costs of a full PCI forensic examination, payment card fines together with the significant fines that can be levied by the ICO of up to 4% of global turnover if they are found not to have taken adequate steps to secure personal data.
> Start now! Need help with PCI DSS Compliance