British Airways has warned customers of a data breach that has resulted in the credit card details - including full card verification value (CVV) digits - of some 380,000 customers being exposed to attackers as-yet unknown.
In a press releases from British Airways' parent company International Airlines Group (IAG), the severity of the data breach is made clear: Personal and financial details, which the company has since confirmed includes payment card number, expiry date, and card verification value (CVV) digits, of all customers who booked flights from either the company's website or its mobile apps. Passport information, the company thankfully confirms, was not included.
The inclusion of CVV digits in the breach is unusual: The three- or four-digit code, typically found on the signature strip at the rear of the card and used to confirm that the person making the transaction has the physical card in-hand, is specifically required to be discarded after verification and not stored on any payment or intermediary system. That the attackers were able to obtain CVV digits both increases the severity of the breach, allowing them to quickly and easily use the stolen card details at any cardholder-not-present payment system, and raises concerns about British Airways' adherence to Payment Card Industry (PCI) standards - though if the attack were based on a man-in-the-middle approach, it's possible the attackers could monitor the CVV during the transaction even if it was properly discarded at the end.
'We are deeply sorry for the disruption that this criminal activity has caused,' said British Airways' chair and chief executive Alex Cruz in a brief statement on the matter. 'We take the protection of our customers' data very seriously.'
British Airways has contacted all customers, some 380,000, who purchased tickets between late August 21st through to September 5th inclusive. The company is also in contact with the police regarding the matter. Those concerned can find more information on the company's frequently asked questions page.
September 18 2020 | 18:30