Timeline
On 22 June 2018, an attacker gained access to the British Airways network by means of compromised login details—a stolen username and password—from an employee of Swissport, a third-party cargo handler. The compromised account did not have multi-factor authentication (MFA) enabled, a security measure that requires a second step in addition to a password, such as a code sent to a phone. British Airways later found that the attacker had compromised five such Swissport accounts.[6]
The accounts allowed the attacker to access only a limited set of applications and data within a virtual environment provided by the Citrix platform, which British Airways used to let staff and partners run internal applications over the internet. However, the attacker was able to break out of that environment. Having done so, they found a file containing the username and password of a highly privileged user saved to a file that could be accessed by any user of the domain.[6]
On 26 June 2018, the attacker was able to find the username and password for a database System Administrator.[6]
On 26 July 2018, the attacker was able to access text files containing payment card details for British Airways redemption transactions. The UK Information Commissioner's Office's report highlighted this issue:[6] The logging and storing of these card details (including, in most cases, CVV codes) was not an intended design feature of British Airways' systems and was not required for any particular business purpose.
It was a testing feature that was only intended to operate when the systems were not live, but which was left activated when the systems went live. British Airways has explained that this card data was being stored in plaintext (as opposed to in encrypted form) as a result of human error. This error meant that the system had been unnecessarily logging payment card details since December 2015.
The impact of this failure was mitigated to some extent by the fact that the retention period of the logs was 95 days, which meant that the only accessible card details were those logged within the preceding 95 days. Nevertheless, the details of approximately 108,000 payment cards were potentially available to the Attacker.
Because this information was stored in plaintext—not encrypted—anyone who could read the logs could see the full card details.[6]
Between 14 August 2018 and 25 August 2018, the attacker was able to add 22 lines of JavaScript to the British Airways website so that customer payment information would be funneled to a website controlled by the attacker (titled "BAways", whereas the official site is www.britishairways.com).[6][7][8][9]
Discovery
On 5 September 2018, a third party informed British Airways that data from its website was being sent to a third-party site, indicating that the site had been compromised. Within 90 minutes, British Airways removed the malicious code.[6]
British Airways has not publicly identified the third party. According to reporting in The Independent, the airline said only that "a third party noticed some unusual activity and informed us about it", and the newspaper understood the third-party to be a company, possibly another airline, that had seen a high volume of attempted fraudulent transactions and traced them back to British Airways.[10]
On 6 September, British Airways informed the ICO and 496,636 affected customers.[6] British Airways issued a public statement saying that it was "investigating, as a matter of urgency, the theft of customer data from its website, ba.com and the airline's mobile app", and that the stolen data did not include travel or passport details but concerned around 380,000 payment cards.[11] The statement said that the breach had been resolved, the website was operating functionally, and that British Airways had notified the police and relevant authorities and was contacting affected customers.