A security weakness in British Airways’ check-in system could potentially allow hackers to steal personal data belonging to BA passengers.
Mobile security company Wandera discovered the vulnerability, which arises from the check-in links that BA emails its customers. These personalised links include the last name and confirmation number belonging to each customer.
While these links are intended to make it easier for customers to log in to BA services and check-in for their flight, it could also be used by malicious actors to gain unauthorised access to an account and steal other personal information, such as email addresses, telephone numbers, loyal program membership numbers, flight details, and more.
The links sent by BA are unencrypted, meaning that, should a customer’s web data be intercepted, hackers would have all the information they need to breach the account. Michael Covington, Wandera’s vice president, told Fortune that this is akin to “having the keys to the kingdom”.
Wandera claims to have monitored more than 2.5 million link requests to BA domains in the past six months, and started noticing an increase in unencrypted connections in the past few months.
There is no evidence that this vulnerability has been exploited. British Airways has insisted in an email to Verdict that a data breach has not occurred and no customer data has been compromised.
“We take the security of our customers’ data very seriously,” a British Airways spokesperson told Verdict. “Like other airlines, we are aware of this potential issue and are taking action to ensure our customers remain securely protected.”
Wandera claims that it contacted BA’s data protection officer twice regarding the flaw, but did not receive a response. A BA spokesperson told Verdict that it had not received any information from Wandera in relation to this.
Wandera discovered a similar flaw affecting airlines Southwest, KLM, Air France, Jetstar, Thomas Cook, Vueling, Air Europa, and Transavia in February, and has urged all airlines to adopt encryption throughout their check-in process.
British Airways’ ‘annus horribilis’ continues
This discovery, while small in comparison, comes a month after the airline was handed a record-breaking £183m fine by the UK’s Information Commissioner’s Office (ICO) for a data breach disclosed in September 2018. Cybercriminals were found to have stolen payment information belonging to some 380,000 BA customers through a malcious script injected into BA’s online payment form.
It also comes a week after IT failures brought many BA passengers to a standstill at London’s Heathrow, Gatwick and City airports.
Following that incident, Paul Farrington, EMEA CTO at Veracode, suggested that British Airways might be experiencing its ‘annus horribilis’ – Latin for “horrible year” – as a result of its IT failures. And this latest flaw is just another example of BA’s security failings.
“It seems BA can’t catch a break, but what all these recent failings showcase is the knock-on effect that security flaws can have on a business,” Farrington told Verdict.
The check-in links sent by BA compromise the security of their customers, Farrington says. Although BA intended to improve the customer experience, it has failed to consider a “hostile internet environment”. While the flaw couldn’t be used to steal payment information, the type of data that would be available is still “highly desirable” to malicious actors.
Farrington believes that a security review prior to coding would have likely caught this vulnerability before it was produced, let alone before it went public.
“Organisations are under pressure to make customer interactions as frictionless as possible. In this case, BA may have strayed too far from good design in striving for user convenience, rather than addressing security considerations.
“A security design review, before coding started, should have caught the lack of authentication and surnames being sent as part of the URL request to the server. This is perhaps an example of the hostile internet environment not being considered before the software was created. A manual penetration test should also have been able to observe the issue, before releasing the software to production.”
Verdict deals analysis methodology
This analysis considers only announced and completed cross border deals from the GlobalData financial deals database and excludes all terminated and rumoured deals. Country and industry are defined according to the headquarters and dominant industry of the target firm. The term ‘acquisition’ refers to both completed deals and those in the bidding stage.
GlobalData tracks real-time data concerning all merger and acquisition, private equity/venture capital and asset transaction activity around the world from thousands of company websites and other reliable sources.
More in-depth reports and analysis on all reported deals are available for subscribers to GlobalData’s deals database.