BA data breach – worse than we thought

I wrote yesterday about BA’s website and app being hacked and a consequent significant data breach. 380,000 bookings made over a two week period were stolen. Whilst the booking is OK, the data provided has been taken by the bad actors involved.

Under the new GDPR regulations, BA could face a very significant fine and as they are the first large breach since the new law came in, I fear that the Information Commissioner will want to make an example of them, as well as test the limit of her new powers.

Anyway, what exactly has been taken you ask?

As I made a booking during this period, BA is sending me updates and this morning tells me that the hackers stole:

  • My Full Name
  • My Billing Address
  • My Email Address
  • The Credit Card Number
  • The Card Expiry Date
  • and the cards’ CVV Code

‘What is the CVV code’ you ask – that’s the three-digit code on the back of your card.

There is a set of standards called the Payment Card Industry Data Security Standard – PCI DSS. This is a multi-tier policy which depends on how much a merchant processes credit cards. Typically card processors require merchants to follow this  set of standards. These include, even at the lowest level of compliance, a requirement not to retain the CVV code as part of the merchants’ records.

So, how did the hackers steal it then?

Well, speculation on the BBC is that the hack might be around any third party system used by BA to process its payments. I would add that BA isn’t confirming that this is the case but it might explain how the CVV code has been stolen.

Previous UK data thefts of this type have not seen the theft of the CVV codes.

BA is offering to compensate purchasers who are out of pocket and assist with credit reference agency rating rebuilding if there are fraudulent transactions.

BA’s advice is woefully simple:

  1. BA won’t call to ask for our data. (Well I would never hand that over anyway).
  2. We are asked to review our credit card statements. (Yes, generally a good idea even when BA hasn’t lost my data).
  3. Do not reply to emails from unknown sources (Doh!)

And they close with truly apologising for the problem!

I think we will learn more about this over the next few days as the traditional press start to take apart what’s happened.


Comments are closed.