British Airways Data Breach: How Hackers Might Have Gotten in and What Businesses Can Do to Protect Themselves
On September 6, 2018, British Airways disclosed that the company had suffered a data breach affecting the personal and financial data of approximately 382,000 customers. Customers that had used BA’s web or mobile app to make or modify a booking between August 21 and September 5 were impacted. In the aftermath of the breach, BA faces consumer opprobrium and the potential for significant regulatory consequences. While BA has revealed no details of how the intrusion occurred, Certus Cybersecurity Solutions has developed a theory of how hackers got in. Our conclusions regarding the BA intrusion hold valuable lessons about the actions companies need to take now to protect themselves against data breach.
Authorities, including the police and the UK Information Commissioner’s Office are actively investigating the breach. If BA is found to have violated EU data protection laws, the airline could be fined up to 4% of its total annual worldwide turnover. As the BA breach demonstrates, the financial toll associated with a major data breach has never been higher, and the case for investing to build cybersecurity capability has never been stronger.
It is possible to make inferences about the steps taken by the BA hackers since the attack appears to have been confined to payment card information entered on BA’s web and mobile sites and did not impact PayPal transactions, third-party booking or telephone payments. During our investigation, one of the first things we observed was that BA’s web and mobile applications have not been updated following the breach – actions which one would expect to see if the applications themselves had caused the intrusion. We therefore can deduce that some other component of BA’s source code, such as the Application Programming Interfaces (APIs) which facilitate communication between apps, may have resulted in the breach.
Following this logic, we looked at the the APIs used on BA’s checkout page[i]. Since the last update to the company’s mobile application is pre-breach, we can conclude that the mobile application was not impacted – if it was, BA would have performed an update as soon as the breach was discovered. We found two payment-related API calls, or requests for information, to a BA API labeled Orders (https:// www.britishairways.com/api/sc4/sse-sbkm/rs/v1/orders) and another to a “webdata” subdomain hosted at iag.cloud. The Orders API call was frequently used to send PayPal and credit card transactions, however, the call to the webdata subdomain was not. From this fact we can deduce that the Orders API was not impacted by the data breach but that the webdata subdomain was potentially misconfigured and abused.
Taking a closer look at the webdata subdomain, we discovered that it was an Amazon Web Services-hosted web app, that sends POST data with sensitive payment card information. This domain is apparently used by British Airways for business intelligence and analytics. We suspect the improperly secured webdata subdomain is where the attackers were able to exfiltrate the sensitive information of 382,000 BA customers.
A similar breach was reported by Ticketmaster in July 2018. The ticket selling giant admitted that customers had their payment data compromised because their Ticketmaster’s website was sharing payment card information with Inbenta.com, an AI-enabled software company, whose customer support APIs had been exploited by hackers.
So now the big question is how leading companies can better protect their customers against attacks exploiting web and API misconfigurations. Companies should start with a close re-evaluation of their entire software supply chain. This includes cloud infrastructure, configuration management, identity and access management and web asset management. With deep expertise securing applications and infrastructure for Fortune 500 companies, Certus Cybersecurity Solutions has a track record of effectively securing the SDLC of its clients at DevOps speed.
Companies are actively adopting DevOps as a software development approach and releasing code at an increasingly rapid pace. However, too often, these companies are failing to effectively integrate security with DevOps. Certus Cybersecurity Solutions is well positioned to help guide our clients in addressing these challenges by safeguarding against data breaches without sacrificing operational efficiency.
If you have any questions or comments regarding the matters covered in this publication, please contact us at firstname.lastname@example.org.
About Certus Cybersecurity Solutions LLC
Certus Cybersecurity Solutions LLC provides cybersecurity advisory and technical services to businesses seeking to safeguard their critical systems and applications from data breach and disruption. With deep expertise in enterprise cybersecurity and a track record of leveraging our experience in combination with cutting-edge technologies, Certus is a trusted partner to companies seeking to proactively build cybersecurity capability.