BA data breach – did they know they were vulnerable?

In the ongoing situation around the hack of 380,000 BA customer booking records which I wrote about yesterday, one British newspaper says today that BA knew that they were vulnerable. Yesterday I mentioned a standard for processing card payments called PCI DSS.

Today’s Daily Telegraph newspaper is reporting that last year BA a test which forms part of this standard. They quote an unnamed ‘IT Expert’ as saying that they had warned BA last year that they were vulnerable. BA denies this. It appears that BA failed the standard in respect of having appropriate monitoring tools in place to look for suspicious activity. Bearing in mind the length that this hack went on for – nearly two weeks – it seems that BA might well not have had appropriate tools at the time of the incident.

BA is offering to make people whole again if they lose money over the scam. One problem, however, is how long the fraudsters will hold the data before trying to use it. I made a ticket change in the period of the hack and so am susceptible to the problems. The ticket I purchased was via Expedia and so is not at risk as Expedia does not pass my card details to BA.