Originally Posted by
BritBoyInFL
I know enough about data security to be dangerous (mostly to myself), but I'm far from an expert.
Some thoughts ....
At the moment only selective people within the BA organization and trusted vendors know how the data was acquired. It is highly unlikely the method will ever be made public. There is as much chance of a sophisticated data stream grab as their is of gaining access to a database, or as simple as some 3rd party injecting some code in to the workflow that re-directs a copy of the order data.
As others have mentioned, the FACT? that the BA IT infrastructure was not closed down while the entry point was secured, suggests, that it was a relatively primitive attack, where the hole in security, once observed, was simple to close. It may even be possible that it was NOT the hole in security that was found, but the data was observed being advertised as available on the dark web ! EVERY company with IT requirements similar to BA doesn't just try(ha ha ha ha) and protect the data on their website, but they meticulously trawl known servers for data that could have been captured from their website. This is one very scary aspect that has received NO discussion. The possibility that the 'hack' was not discovered due to a security analysis of the website, but as a result of data being made available on the dark web. A real case of finding which stable door is open long after your horse is discovered in someone elses stable !
Each of us has differing opinions of the negative impact caused by our credit card details or our personal information being in the 'dark' domain.
One of the biggest problems hackers have is finding matching data. As an example, your name and date of birth is already out there. But, they don't have your mailing address. Now they get your mailing address, but don't have your credit card number. Now they have your credit card number but don't have your CCV. And finally, they want your mothers maiden name, your NI or SSN number, etc. etc. etc. It's all about building a profile of your data, which may not come from a singular source/attack. As such, each individual piece of information, relating to each of us, may not be that big of a deal. But, for some of the 380,000, it might be the piece of the puzzle that lets someone pretend to be you and cause massive havoc with your credit.
I've re-typed this post 10+ times as I didn't want it to read as a scare piece. Sorry ..... but for a small percentage of the 380,000 I suggest you contact BA for approval to obtain credit security from one of the major suppliers (some of whom have actually been hacked themselves :O). Don't wait until your horse has bolted !
Very interesting point about finding out from seeing the data for sale rather than actually spotting the hack. If that’s the case, I suppose it’s even possible it wasn’t BA or BA suppliers who discovered the data at all but perhaps just some random person who then reported it. So who knows how long it could’ve gone on for.
On the last point, BA have offered a credit montiforing service to all affected customers but I don’t think we’ve got the details yet.