British Airways has resolved an August breach that resulted in data being stolen from about 380,000 customers and the company is treating a probe of the incident with some “urgency.”
“We have notified the police and relevant authorities,” the airline said in a statement about the breach, which occurred between August 21 and Sept. 5. “The breach has been resolved and our website is working normally.”
Data stolen included “the personal and financial details of customers making bookings on ba.com and the airline’s mobile app were compromised,” but noted that the thieves didn’t nick passport or travel details.
“While British Airways has assured the public that the affected customers will be notified, we often see the estimated number of affected individuals grow over time,” said Webroot senior security analyst Randy Abrams.
“Thankfully, no passport details were allegedly obtained,” he said, pointing to the recent Air Canada breach in which “customer data potentially including passport numbers and expiry date, passport country of issuance, NEXUS numbers for trusted travelers, gender, dates of birth, nationality and country of residence” could have been compromised.
Abrams said the data could be available to cybercriminals who could “aggregate and correlate [it] to build significantly comprehensive profiles.”
He urged British Airways customers to “check in with their banks and credit card companies – as they will help to mitigate financial compromise – as well as set up two-factor authentication for additional security.”
“The British Airways breach once again sheds light on the difficulty companies have protecting the proprietary information of their customers that is their backbone,” said Israel Barak, CISO at Cybereason. “Collectively, this is a blow to our privacy and British Airways joins a growing list of organisations that have faced a knock down punch.”
Barak said consumers “should be working under the assumption that their personal information has been compromised many times over.” He warned that until the industry “can start making cybercrime unprofitable for adversaries they will continue to hold the cards that will yield potentially massive payouts.”