SC media – ‘The cyber-security source’ is providing a more educated view of what may have happened around the BA data breach than the UK newspapers have managed.
They report that Marcus Gill Greenwood, CEO at Ubio, visited the BA web site and using tools readily available within his browser, found that the BA payment page references seven other domains during the booking process. These provide visitor tracking, customer service support and various other tasks but also, they provide the details of the booking to the external suppliers. You can read his full article here. The author suggests that the credit card data should have been secured within an iframe – an element of a web page.
The suggestion is that malicious java script was loaded and that this ‘stole’ the credit card information of anyone booking. It also suggest, says Greenwood, that this mechanism rather than a database hack is most likely the cause.
This seems likely as the payment mechanism from the app and web site were both impacted by the breach. The report goes on to indicate that the problem that Ticketmaster had recently was of the same type. Most likely the problem happened at one of the seven domains referenced rather than at BA.
Perhaps inevitably a law firm is looking to make some fees from the debacle by seeking to obtain permission for the UK version of the US ‘class action’ lawsuit. SPG law, the UK arm of a large US company, is looking to launch a £500m suit against BA. Their claim is for “inconvenience, distress and misuse of … private information”
There are reports of people receiving Phishing emails from bad actors purporting to be from BA. If you get one please be very careful as it is likely they are trying to obtain more information about you to perpetrate a fraud.
Flyertalk also reports that BA is calling selected customers to reassure them about what happened, but some people are being told that compensation is being considered whilst others are told that it’s not. No call to me yet.
American Express, whose BA credit card I hold, have told me to do nothing and they are monitoring my account. Of course, I am taking steps. I have turned on daily text messages for my current account where my debit card payment came from and am checking my Amex every day.