British Airways stored administrator password and credit card data in plain text

British Airways has been fined 20 million pounds by the British regulator ICO for not having its security in order. Among other things, the company stored sensitive data unencrypted.

The Information Commissioner’s Office was fined 33 million euros after an investigation into a large-scale data breach in 2018, in which personal data of 380,000 people was stolen, including credit card details including CCV numbers. The privacy authority describes the course of the hack of the payment systems and lists where things went wrong with security.

The attackers managed to gain access to British Airways’ networks using account information from a Swissport employee. From there, the attackers managed to get tools within the Citrix environment that they could use to screen the network. For example, they discovered a login name and password of an administrator account that were stored in plain text and that, according to the ICO, gave almost unlimited access to the domain.

For example, the attackers were able to log in to multiple servers and on July 26, 2018, they were able to access log files containing, again in plain text, stored credit card information, including CCV numbers. Thanks to a test function that went live due to human error, the credit card data had been logged so unencrypted since December 2015. The retention period was limited to 95 days, which limited the damage somewhat, but the data of 108,000 cards was still so insightful.

The fine is much lower than the amount of 183 million pounds that the ICO threatened with last year, partly because the aviation sector is in financial difficulties due to the corona pandemic. During the talks over the amount of the fine, British Airways called credit card data breaches to the ICO “a completely mundane phenomenon.”