It’s not been a good week for airlines and cyber security. Cathay Pacific announced that they had up to 9.4 million records compromised.
Data compromised includes:
- passenger name
- date of birth
- phone number
- email; address
- passport number
- identity card number
- frequent flyer programme membership number
- customer service remarks
- historical travel information
In addition, 403 expired credit card numbers were accessed. Twenty-seven credit card numbers with no CVV were accessed. Their full statement is here.
Given the data compromised it sounds like there was a breach of their reservation or departure control system. The fact that so few credit cards were included makes me believe that the 403 (out of 9.4 million) were possibly manually entered into the remarks field of a booking, which in itself is a breach of what’s known as PCI:DSS (Payment Card Industry Data Security Standards).
My guess is that perhaps an historical database or data warehouse may have been uploaded to a cloud storage platform somewhere and then compromised. However that’s pure speculation on my part.
British Airways Data Breach v2
British Airways have announced that their data breach (which yours truly was affected by the first time around) is worse than thought, with an additional 185,000 payment cards being compromised.
However you wouldn’t know this, as there’s been no proactive communication from them. American Express on the other hand have already been in touch saying:
I’m writing to you in regards to the reported British Airways data breach update involving customer personal and financial details being compromised.
Once again, we want to assure you that our industry-leading fraud protection technology is continually monitoring for any suspicious activity in order to safeguard you. Also, as a Cardmember, you are not liable for any fraudulent charges that may occur on your Accounts. If you have used your American Express Card to book with British Airways, we are monitoring your Account for you.
There is no action you need to take – we will contact you immediately if there’s any unusual activity with your Account. In the meantime you can continue to use your Card as normal.
Anything from British Airways in my inbox? Of course not. The details are as follows:
The investigation has shown the hackers may have stolen additional personal data and we are notifying the holders of 77,000 payment cards, not previously notified, that the name, billing address, email address, card payment information, including card number, expiry date and CVV have potentially been compromised, and a further 108,000 without CVV. The potentially impacted customers were those only making reward bookings between April 21 and July 28, 2018, and who used a payment card.
So it appears that not only was the BA.com payment page breached in the main attack, but the reward booking engine was compromised for a much longer time.
A lot has already been written about how this was accomplished by people far more technical than me, however there’s clearly something rotten in the IT services organisation at IAG (the parent company of British Airways). For this to have gone on for so long and not been spotted is pretty inexcusable. As is the contempt with which they’ve treated customers. The fact I learned of this further breach from American Express is piss poor.