"Brilliant" attacks on British Airways' mobile apps and websites have disclosed the names, e-mail addresses, full credit card details of 380,000 customers.
Of particular concern is that the attacker captured the three digit CCV security code behind the card. Normally it should not be possible …
During the period from August 21 to September 5, BA collected data on transactions made through the application and website BBC.
"Name, e-mail address, credit card information – credit card number, expiration date, three digit number [CVV] I put the code on the back of the credit card, "says Boss Alex Cruz of BA.
We insist that BA does not store CVV numbers. This is prohibited by international standards established by the PCI Security Standards Council.
Security researchers speculate that the details of the card are being intercepted rather than collected from the BA database, as BA stated that the attacker could also obtain the CVV number.
The airline says that only transactions made between the above dates have been affected and all customers whose details are disclosed have been contacted. BA promises that affected customers will contact the bank to cancel the card and compensate for the loss.
BA said that "third parties" warned of security violations and suggested that they might have been detected by security researchers. If so, we will learn more soon.
Police and the information committee office which is a privacy protection organization in the UK are investigating. If BA turns out to be faulty, Europe's GDPR privacy law allows airlines to be fined up to 4% of the global annual revenue of up to £ 489 million (US $ 638 million) .
Reuters reports …