A ‘sophisticated’ attack on British Airways’ mobile app and website has exposed the names, email addresses and full credit card details of 380,000 customers.
Of particular concern is the fact that the attackers captured the three-digit CVV security codes on the backs of cards, something that should not normally be possible …
BA said that the hack gathered data on transactions made through its app and website between August 21 and September 5, reports the BBC.
“It was name, email address, credit card information – that would be credit card number, expiration date and the three digit [CVV] code on the back of the credit card,” said BA boss Alex Cruz.
BA insists it did not store the CVV numbers. This is prohibited under international standards set out by the PCI Security Standards Council.
Since BA said the attackers also managed to obtain CVV numbers, security researchers have speculated that the card details were intercepted, rather than harvested from a BA database.
The airline says only transactions made between the above dates were affected, and that all customers whose details were exposed have now been contacted. BA has advised affected customers to contact their banks to have cards cancelled, and has promised to compensate them for any loss.
BA said that ‘a third party’ alerted it to the breach, suggesting that it may have been detected by security researchers. If so, it’s likely we’ll learn more shortly.
Both police and the British privacy watchdog, the Information Commissioner’s Office, are investigating. If BA is found to have been negligent, Europe’s GDPR privacy laws would allow the airline to be fined up to 4% of its total global annual revenue, which would be a maximum of £489M ($634M).
Reuters reports a spokesperson for the prime minister, Theresa May, saying that the government is aware of the attack.
We are aware of the reports and the National Cyber Security Centre and the National Crime Agency are working to better understand what has happened.