As an update, British Airways has issued the following statement regarding this incident:
“As soon as we discovered the data theft, we immediately contacted all affected customers to recommend they contact their banks to cancel or provide extra protection to their cards.
We have had no verified cases of fraud since the incident.”
As well as airline insolvencies, 2018 will be remembered as a year when numerous major airlines were hit by cyber criminals, with valuable passenger data stolen. Air Canada and Cathay Pacific were hit, as well as British Airways, which said at the time:
From 22:58 BST 21 August 2018 until 21:45 BST 5 September 2018 inclusive, the personal and financial details of customers making or changing bookings at ba.com, and on our app were compromised. The stolen data did not include travel or passport information.
The breach has been resolved and our website is working normally.
We’re deeply sorry, but you may have been affected. We recommend that you contact your bank or credit card provider and follow their recommended advice.
We take the protection of your personal information very seriously. Please accept our deepest apologies for the worry and inconvenience that this criminal activity has caused.
If you were one of the affected customers, you may wonder what whoever stole your personal information (i.e. credit card details) was planning to do with it.
The Daily Mail reports that the customer data stolen from British Airways has been listed on the dark web for sale by Russian-led criminal group Magecart.
For those of you who are unaware of what the dark web is, it operates as a sort of ‘second internet,’ which can only be accessed with special software.
It’s far more anonymous and harder to track, and information and goods are bought and sold, including stuff that’s often illegal for sale on the normal internet. This includes things like drugs, weapons, and personal information, such as credit card information stolen by hackers from a large company.
It’s extremely difficult to identify both sellers and buyers on the dark web.
British Airways stolen customer data was listed for sale, for between £6.94 and £38.58 (~USD$9 and $50) per customer. The varying prices related to the the country of origin of the customer, as cards from some countries are considered more valuable than others — I’m not sure if this is because of the reduced security features of certain countries cards, or perhaps the higher card limits.
Although each customer data lot is not individually identified to dark web buyers, the hackers state they are selling personal information (including credit card details) from the UK, US, Germany, Italy, Spain, Canada, France, Korea, Mexico, Argentina, Brazil and China.
The dark web itself is vague and anonymous by design, so there’s no way of knowing how many lots of personal information may have been sold. But if all of the customer data is sold, these hackers stand to profit around £9.4 million (~USD$12 million).
Given how anonymously the dark web operates (by design), the only way British Airways could try to recover all of the stolen data would be the buy all of the customer data lots themselves, but then again there is no assurance these hackers would not then sell the same information onto other buyers.
I fell within the time period of the hack, so there’s a good chance my personal information was compromised.
While I do take some comfort in my card issuer assuring me that I will not be liable for any loss suffered as a result of the data theft, it is also very worrying to think my personal information is for sale, especially for such a low price.
Now might be the time to change my card number, even if American Express UK assures me it is not necessary.
Keep your eyes out for any suspicious activity on your accounts.
Did you get caught up in the British Airways data breach?