British Airways Security Report

Security Summary

British Airways Logo

Company Information

  • Founded: 1974 (through merger)
  • Employees: 40,000
  • HQ: Harmondsworth, England
  • CEO: Álex Cruz
  • Revenue: £11,443 million (2016)
  • Net income: £1,473 million (2016)

UpGuard CloudScanner

Cloud Scan

Cyber Security Rating

British Airways CSR

UpGuard CyberRisk calculates security ratings for 2m companies a day. Try it today.

Book a free demo

BritishAirways.com - Top 5 Security Risks

1. Domain Registry Protection

Potential for domain to be hijacked

There are three issues contributing to an increased risk of British Airways domain being hijacked. These are:

  • Domain registry deletion protection not enabled
  • Domain registry transfer protection not enabled
  • Domain registry update protection not enabled
2. X-Powered-By HTTP Header

Third and fourth-party vulnerabilities are exposed

British Airways has exposed its server information through an X-Powered-By header, which reveals third-party technologies used on their servers. These can be run against CVE (Common Vulnerability Exposures) databases and exploited by attackers.

3. HTTP Strict Transport Security (HSTS)

Increased susceptibility to man-in-the-middle attacks

HSTS helps protects websites against attacks such as cookie hijacking by mandating that users interact with them only through HTTPS. British Airways has five open issues related to HSTS:

  • HTTP Strict Transport Security (HSTS) not enforced
  • HSTS header does not contain max-age
  • HSTS header does not contain includeSubDomains
  • HSTS header not prepared for preload list inclusion
  • Secure cookies not used
4. HttpOnly Cookies

Vulnerability to XSS (Cross-Site Scripting) attacks

HttpOnly cookies help reduce the likelihood of an XSS attack by preventing malicious, client-side code stealing cookie information. British Airways has three cookies exposed to this risk.

5. DNS Secure Extensions (DNSSEC)

Potential for DNS man-in-the-middle attacks

DNSSEC helps prevent attackers from forging or intercepting the records that guarantee British Airways identity. British Airways does not have DNSSEC configured for their domain.

Data Breaches and Security News

Pinned: Sep 7, 2018

380,000 customers had their data stolen in a massive breach

British Airways has admitted that a data breach has affected 380,000 customers. The breach exposed personal information, as well as credit card numbers, CVV numbers and expiry dates. Given the attackers were able to compromise CVV numbers, it is suspected that the data was intercepted, rather than stolen from British Airways' database records. The company made their announcement on September 10 via their website.

There has been outcry over the breach of CVV numbers, exposing BA customers to financial fraud as well as the standard identity theft that goes with data breaches. PCI-DSS rules imposed by card issuers penalise companies (such as BA) who improperly secure credit card details. Even worse, European GDPR fines may apply, with penalties as high as 4% of revenue, or £500m in BA's case.

Sep 11, 2018

The British Airways data breach shows that regulation works

Every so often, regulation works. Last week’s disclosure by British Airways that cyber criminals had stolen the financial details of 380,000 customers was one of those rare times. The EU’s new General Data Protection Regulations, which went into effect in May, require companies — on pain of large fines — to disclose hacks within 72 hours. BA duly complied last week. Financial Times >

Sep 10, 2018

British Airways hacking: how not to respond to a cyber attack

Chaos appears to reign at British Airways, where hackers stole the details of around 380,000 customer bookings. There have been some poor responses to cyber attacks on major companies in the past, but the airline’s actions in this case could be one of weakest in recent history. Part of this may be because companies are now required by the EU to report cyber attacks within 72 hours, and because information may still be being withheld due to ongoing criminal investigation. The Conversation >

Sep 7, 2018

British Airways breach: How did hackers get in?

British Airways has revealed that hackers managed to breach its website and app, stealing data from many thousands of customers in the process. BBC >

Sep 7, 2018

380,000 customers had their data stolen in a major breach

British Airways has admitted that a massive data breach has affected 380,000 customers. The breach exposed personal information, as well as credit card numbers, CVV numbers and expiry dates. The company made their announcement on September 10 via their website.

See UpGuard In Action

Book a call with one of our specialists and we'll arrange a time for a demo.