BA data breach – Speculation on what happened and the inevitable law suit

SC media – ‘The cyber-security source’ is providing a more educated view of what may have happened around the BA data breach than the UK newspapers have managed.

They report that Marcus Gill Greenwood, CEO at Ubio, visited the BA web site and using tools readily available within his browser, found that the BA payment page references seven other domains during the booking process. These provide visitor tracking, customer service support and various other tasks but also, they provide the details of the booking to the external suppliers.  You can read his full article here. The author suggests that the credit card data should have been secured within an iframe – an element of a web page.

The suggestion is that malicious java script was loaded and that this ‘stole’ the credit card information of anyone booking. It also suggest, says Greenwood, that this mechanism rather than a database hack is most likely the cause.

This seems likely as the payment mechanism from the app and web site were both impacted by the breach. The report goes on to indicate that the problem that Ticketmaster had recently was of the same type. Most likely the problem happened at one of the seven domains referenced rather than at BA.

Perhaps inevitably a law firm is looking to make some fees from the debacle by seeking to obtain permission for the UK version of the US ‘class action’ lawsuit. SPG law, the UK arm of a large US company, is looking to launch a £500m suit against BA. Their claim is for “inconvenience, distress and misuse of … private information”

There are reports of people receiving Phishing emails from bad actors purporting to be from BA. If you get one please be very careful as it is likely they are trying to obtain more information about you to perpetrate a fraud.

Flyertalk also reports that BA is calling selected customers to reassure them about what happened, but some people are being told that compensation is being considered whilst others are told that it’s not. No call to me yet.

American Express, whose BA credit card I hold, have told me to do nothing and they are monitoring my account. Of course, I am taking steps. I have turned on daily text messages for my current account where my debit card payment came from and am checking my Amex every day.


  1. This is another opportunity for BA’s CEO Alex Cruz to demonstrate pure apathy for his customer base. I was a victim of both the ‘incorrect pricing’ debacle in the summer, and this – I happened to make two bookings with BA in the affected period, forcing me to cancel my current account debit card (a card I tend to only use on *trusted* sites). I’m sure you can imagine how disruptive it is to update so many payment profiles with new card details.

    I wrote to Alex Cruz about the pricing issue, since they just cancelled my family (of 5) tickets without any notification from BA, and my letters to him personally were sporadically responded to from a customer service agent emailing from a ‘no reply’ email address.

    I’ve been a loyal customer of BA for decades. I regret their change in service recently which results in paying £3 for a cup of tea I have to make myself, while being visited by the cabin staff who address me by name and tell how valued I am.

    I think Cruz has a budget-airline attitude with premium prices.

Comments are closed.