British Airways breach: Old third-party software was to blame

  • The cyber-security breach at British Airways leading to a record £183m GDPR fine was caused by an outdated piece of Javascript, and could easily have been avoided.

    Yesterday we reported the news that British Airways is to be fined a record £183m by the UK Information Commissioner's Office under new GDPR legislation. The law that came into effect last year allows a maximum fine of 2-4% of a company's annual turnover for failing to secure customer personal information int he event of a data breach, and this whopping £183m fine represents under 1.5% of British Airways' reported 2018 turnover.

    Wired UK has an interesting piece delving deep into the cause of the breach, and it turns out that unchecked third party software used on the airline's website was ultimately to blame. The personal data harvested by attackers in this breach included names, email addresses, home addresses, and full credit card numbers including the verification code.

    The verification code is not stored by payment processors after being used for verification purposes, which means the data stolen from customers was lifted right from the page itself as people submitted their credit card details. It turns out that there was a vulnerability in a Javascript module called Modernizr that the firm was using on the site, which was exploited to redirect customer traffic to a second website run by the attackers.

    This isn't the first time a third party module or plugin has caused data breaches in otherwise secure systems, with compromised chat bot middleware having exposed people's details on other sites in the past. This time around the problem could have been solved by simply updating Modernizr, as British Airways was running an old version from 2012 with a known vulnerability.

    Breaches of this kind highlight the importance of having robust cyber-security practices, of keeping IT systems continually up to date, and of re-engineering products when vulnerabilities become known. Though the breach came from a third party piece of code, British Airways itself is responsible for having such poor IT practices that its code wasn't re-examined for seven years despite vital security updates having been released for it.

    British Airways is expected to appeal the £183m fine by the ICO and has complied with its investigations. The scale of the breach (with over half a million people affected) and ease with which it could have been avoided are likely to factor into decisions regarding whether the fine should go ahead.

    Source: Wired UK

    About the author

    Brendan is a Sync NI writer with a special interest in the gaming sector, programming, emerging technology, and physics. To connect with Brendan, feel free to send him an email or follow him on Twitter.

    Got a news-related tip you’d like to see covered on Sync NI? Email the editorial team for our consideration.

Share this story