On September 7th, it was publicly disclosed that 380,000 customer transactions processed by the British Airways website between August 21st to September 5th were compromised by attackers. The information believed to be obtained in the transactions included the name, email address, and credit card information for the transaction including the credit card CVV code.
Details of exactly how the British Airways site was hacked is not publicly available at this time. Because the CVV code was obtained as part of the stolen data, security researchers believe that the hackers may have copied customer data as they inserted it into the British Airways website.
Users affected are currently being notified. British Airways disclosed the breach within 72 hours of when the breach became known as part of new GDPR regulations. For GDPR regulations, if British Airways is found to have not done enough to protect consumer information, it could face a fine of up to 4 percent of annual revenue which is by some estimates around 500,000 pounds.
Proficio Threat Intelligence Recommendations:
- Validate public facing web services that process payment information are patched.
- Make sure a continuous monitoring solution around intrusions into websites that process payment information have a continuous monitoring solution in place.
General Info on Breach – Click Here