There are three issues contributing to an increased risk of British Airways domain being hijacked. These are:
British Airways has exposed its server information through an X-Powered-By header, which reveals third-party technologies used on their servers. These can be run against CVE (Common Vulnerability Exposures) databases and exploited by attackers.
HSTS helps protects websites against attacks such as cookie hijacking by mandating that users interact with them only through HTTPS. British Airways has five open issues related to HSTS:
HttpOnly cookies help reduce the likelihood of an XSS attack by preventing malicious, client-side code stealing cookie information. British Airways has three cookies exposed to this risk.
DNSSEC helps prevent attackers from forging or intercepting the records that guarantee British Airways identity. British Airways does not have DNSSEC configured for their domain.
British Airways has admitted that a data breach has affected 380,000 customers. The breach exposed personal information, as well as credit card numbers, CVV numbers and expiry dates. Given the attackers were able to compromise CVV numbers, it is suspected that the data was intercepted, rather than stolen from British Airways' database records. The company made their announcement on September 10 via their website.
There has been outcry over the breach of CVV numbers, exposing BA customers to financial fraud as well as the standard identity theft that goes with data breaches. PCI-DSS rules imposed by card issuers penalise companies (such as BA) who improperly secure credit card details. Even worse, European GDPR fines may apply, with penalties as high as 4% of revenue, or £500m in BA's case.
Every so often, regulation works. Last week’s disclosure by British Airways that cyber criminals had stolen the financial details of 380,000 customers was one of those rare times. The EU’s new General Data Protection Regulations, which went into effect in May, require companies — on pain of large fines — to disclose hacks within 72 hours. BA duly complied last week. Financial Times >
Chaos appears to reign at British Airways, where hackers stole the details of around 380,000 customer bookings. There have been some poor responses to cyber attacks on major companies in the past, but the airline’s actions in this case could be one of weakest in recent history. Part of this may be because companies are now required by the EU to report cyber attacks within 72 hours, and because information may still be being withheld due to ongoing criminal investigation. The Conversation >
British Airways has revealed that hackers managed to breach its website and app, stealing data from many thousands of customers in the process. BBC >
British Airways has admitted that a massive data breach has affected 380,000 customers. The breach exposed personal information, as well as credit card numbers, CVV numbers and expiry dates. The company made their announcement on September 10 via their website.
Book a call with one of our specialists and we'll arrange a time for a demo.