Russian Hackers Selling Stolen British Airways Customer Data

As an update, British Airways has issued the following statement regarding this incident:

“As soon as we discovered the data theft, we immediately contacted all affected customers to recommend they contact their banks to cancel or provide extra protection to their cards.

We have had no verified cases of fraud since the incident.”


As well as airline insolvencies, 2018 will be remembered as a year when numerous major airlines were hit by cyber criminals, with valuable passenger data stolen. Air Canada and Cathay Pacific were hit, as well as British Airways, which said at the time:

From 22:58 BST 21 August 2018 until 21:45 BST 5 September 2018 inclusive, the personal and financial details of customers making or changing bookings at ba.com, and on our app were compromised. The stolen data did not include travel or passport information.

The breach has been resolved and our website is working normally.

We’re deeply sorry, but you may have been affected. We recommend that you contact your bank or credit card provider and follow their recommended advice.

We take the protection of your personal information very seriously. Please accept our deepest apologies for the worry and inconvenience that this criminal activity has caused.

If you were one of the affected customers, you may wonder what whoever stole your personal information (i.e. credit card details) was planning to do with it.

The Daily Mail reports that the customer data stolen from British Airways has been listed on the dark web for sale by Russian-led criminal group Magecart.

For those of you who are unaware of what the dark web is, it operates as a sort of ‘second internet,’ which can only be accessed with special software.

It’s far more anonymous and harder to track, and information and goods are bought and sold, including stuff that’s often illegal for sale on the normal internet. This includes things like drugs, weapons, and personal information, such as credit card information stolen by hackers from a large company.

It’s extremely difficult to identify both sellers and buyers on the dark web.

British Airways stolen customer data was listed for sale, for between £6.94 and £38.58 (~USD$9 and $50) per customer. The varying prices related to the the country of origin of the customer, as cards from some countries are considered more valuable than others — I’m not sure if this is because of the reduced security features of certain countries cards, or perhaps the higher card limits.

Although each customer data lot is not individually identified to dark web buyers, the hackers state they are selling personal information (including credit card details) from the UK, US, Germany, Italy, Spain, Canada, France, Korea, Mexico, Argentina, Brazil and China.

The dark web itself is vague and anonymous by design, so there’s no way of knowing how many lots of personal information may have been sold. But if all of the customer data is sold, these hackers stand to profit around £9.4 million (~USD$12 million).

Given how anonymously the dark web operates (by design), the only way British Airways could try to recover all of the stolen data would be the buy all of the customer data lots themselves, but then again there is no assurance these hackers would not then sell the same information onto other buyers.

Bottom line

I fell within the time period of the hack, so there’s a good chance my personal information was compromised.

While I do take some comfort in my card issuer assuring me that I will not be liable for any loss suffered as a result of the data theft, it is also very worrying to think my personal information is for sale, especially for such a low price.

Now might be the time to change my card number, even if American Express UK assures me it is not necessary.

Keep your eyes out for any suspicious activity on your accounts.

Did you get caught up in the British Airways data breach?

Comments

  1. After the Equifax hack, I think virtually every American’s info is avail for sale on the dark web. Not much we can do about it.

  2. “..it is also very worrying to think my personal information is for sale, especially for such a low price.” I like your posts James but I’ll admit I got a laugh out of this line! hehe

  3. Why do you think they wanted to perform the hack in the first place? Of course it was going to end up for sale.

    Sadly par for the course nowadays.

  4. I had some Russia-based fraud on the card saved to my BA profile a month or so back. It was caught relatively quickly.

  5. What makes you certain that these people really have the BA data rather than just being fraudsters?

    Though, if you believe that, I have access to six million dollars in unclaimed tax rebates from the Nigerian government and wondered if you’d be willing to facilitate their transfer for a risk-free fee of 37%…

  6. I wonder how much credit card fraud results from these thefts. Even with travel notifications, my card companies often attempt to block my own purchases while away from home unless I text them back. Yesterday, Google informed me that there was an attempt to hack into my home security system that they shut down. The banks and other companies are getting very good at preventing fraud, almost too good, in some cases.

  7. I just started a trip on Saturday only to discover that my AMEX card had been hacked. The fraud people discovered one charge of $1500 for gift cards that was blocked and my card was blocked. So now I have no AMEX card for my hotel payments and AMEX was not able to send a card to my holiday hotel because their “systems were down”. I assume that this is the BA card hack.

    I had changed my card account password on receipt of the email from BA but it didn’t stop the hack.

    Not pleased

  8. Question is, I am getting reports now from Equafax (just yesterday) that fraudsters are now taking into frequent flyer accounts and selling the miles. Do airlines cover you for those losses or are you just SOL if this happens to you? if OMAAT can write and article on this topic it would be very helpful to us readers!

  9. @azamaraal same problem for me but at least Amex could send me a replacement. The platinum Amex I had stored in my BA profile (I really only use that card for airfares) started firing off alerts Friday night while I was traveling for someone trying to buy Apple gift cards. I called Amex and blocked the card, they reissued it and had a new one to my hotel in Europe on Tuesday. The whole thing is mainly just an annoying hassle and not very profitable for the fraudsters as all the charges were blocked anyway.

  10. We received the notice from BA that our card was compromised. Just yesterday, that card had several fraudulent charges. Now did the criminals using our card # get the card details from BA, a skimmer, or somewhere else? Impossible to know.

  11. first time ever posting on OMAAT (daily reader here, great job, guys)

    BA never notified me of my card being hacked but a short while after the news of the data theft I was charged $1,761 from “Iberia” which was not detected and posted to my CSR account (they never question any charges) and i had to call them to dispute the charge. i hope they figured out this was linked to the BA data theft.

    no problems… yet. I had to cancel and replace my CSR countless times due to Uber frauds but so far so good with CSR that has covered for me every time. any day now they may pull the signature close on my account

Leave a Reply

Your email address will not be published. Required fields are marked *