The British Airways security breach hit the headlines in early September with 100,000’s of customers falling victim of hackers stealing their personal and financial information. We’ve pulled together the facts about what happened, the potential impact for customers, what to do if you’ve been impacted and how the new GDPR legislation has shown it’s worth in this case.

First of all, the facts.

Between 10.58pm on 21 August and 9.45pm on 5 September 2018, 380,000 people had their personal and financial details stolen by hackers when they made a payment via ba.com or the British Airways app. Payments made through travel agents were unaffected.

Customers who used other airlines websites to book a BA ‘codeshare’ during that period (such as American Airlines, Iberia and Are Lingus) have not had their details stolen.

BA has stated that the data stolen included customers names, addresses, email addresses, card number and card verification codes (CVVs – the three-digit number on the back) but did not include passengers’ passport and travel details. This means the hackers won’t have a connection between the name and address of the customer and the dates of their trip (and consequently, when they won’t be at home) and their passport data isn’t at risk of being misused.

According to BA, the data breach was identified when “a third party noticed some unusual activity and informed us about it”. The airline duly informed the police and the Information Commissioner and whilst it’s not clear who the third party supplier was, once the theft was identified BA “immediately acted to close down the issue, and started an investigation as a matter of urgency”.

What’s the impact for customers?

380,000 customers details, whilst a lot, is by no means the biggest breach in recent years, so why did some banks issue new cards as routine without even waiting to get the full picture? 3 letters- CVV. The CVV is the 3 or 4 digit code which acts to provide an additional level of security when using your card online. To have that stolen makes it incredibly easy for the hackers to use the details and is why The Financial Times Brooke Masters called this security breach ‘one of the worst in history’. There is a range of ways the information could be used, from cloning the card, ‘phishing scams’, selling the information to other criminals or simply making online purchases.

So, if you have been impacted, you should already have been contacted by British Airways and told: “If you believe you have been affected by this incident, then please contact your bank or credit card provider and follow their recommended advice”. Further to this BA has advised that it will be offering all customers 1 year of credit rating monitoring service, and although further details have yet to be released, you will get notified of how to take advantage of it.

Moneysavingexpert.com contacted banks to confirm their response to this incident and whilst some banks are issuing new cards as routine, some are monitoring them for you and others are just asking you to check and notify them of anything unusual or that you are concerned about. See full details of each banks response here.

So other than calling your bank and keeping an eye out for more details on the credit rating monitoring service, what else can you do?

  • If your bank isn’t one that is issuing new cards to all customers and you are worried about the potential impact now or in the future, don’t be afraid to ask for a replacement to be sent to you.
  • Change your BA account password and any accounts with the same password.
  • Be on alert for ‘phishing scams’. One way of making use of the data is to use it to trick you into thinking you are talking to your bank or another genuine organisation. and revealing information which they can use. Watch out for unusual calls, texts and emails asking you for details of your password or pin.
  • Keep an eye out for unusual charges: That being said, you don’t want to completely hand that responsibility over to the bank. Check the transactions on your credit card often and pay close attention to any that come from overseas or in the middle of the night.
  • Check your accounts regularly and highlight any payments you don’t recognise to the bank immediately.

How does GDPR come into it?

After the implementation of GDPR this year and the swathes of emails in our inboxes asking us if we want to resubscribe to things we probably didn’t even know we’d signed up to, it’s all gone a little quiet. Most companies have implemented the relevant policies but on a practical level, there hasn’t been much change for consumers. So why is GDPR relevant in this case? Well, previously when companies have had a breach in their security, resulting in customers data being stolen, they haven’t always declared it very promptly (around 3 years for Yahoo who declared breaches from 2013 in 2016).
However, GDPR regulations required companies to disclose any hacks within 72 hours, which BA complied with. Was it a bid to reduce a potential £500m fine (4% global turnover)? Possibly but by doing so they acted responsibly to enable customers and banks to act fast and reduce the potential impact. A big tick to GDPR working in real life scenarios.

Do we know who the hackers are?

RiskIQ, the ‘world leader in digital threat management’ has suggested that the Magecart hacking group are the suspected attackers. The Magecart group hit the headlines back in June (2018) when it was identified as being attacking Ticketmaster . RiskIQ have identified the BA attack had some of the same trademarks as the Ticketmaster attack, although there was one key difference in that the BA site was targeted directly, rather than via a third-party service.

“This attack is a highly targeted approach compared to what we’ve seen in the past with the Magecart skimmer,” said Yonathan Klijnsma, head researcher at RiskIQ. “This skimmer is attuned to how British Airways’ payment page is set up, which tells us that the attackers carefully considered how to target this site in particular.”