eLearnSecurity Blog

British Airways Executive Club Accounts Suffer from Cyberattack

A few members of the British Airways Executive Club complained about their points from their accounts getting stolen. Some of these points were used to book a hotel room and others had all their points wiped out. According to a report from BBC, this issue was dated back at least 2 weeks.

In our previous article, we posted about the Hilton Hotel cyberattack targeting the membership rewards of the hotel’s website. This seems like a similar case although the security flaw from British Airways is not yet fully determined.

A statement on the airline site mentions that they are aware of the issue and advises their customers to reset their passwords as well as any other logins from online accounts where customers are using the same credentials.

“This appears to have been the result of a third party using information obtained elsewhere on the internet, via an automated process, to try to gain access to these accounts. In order to protect customers’ data, we have locked down a number of customers’ accounts and asked those customers to reset their passwords. Customers can reset their passwords by following the “Forgotten PIN/Password” link in the top right hand corner of the British Airways homepage.”

British Airways is still working on the issue and assures their customers that they are taking this cyberattack seriously.

british-airways

Photo Source: markyharky

Andrea Tarquini, IT Security Researcher, shares his thoughts on the report. “It might be a simple password reuse obtained from other services or some other data leak. BUT we cannot really determine the actual flaw until we have more information. British Airways advises that all accounts with the same password details be changed because attackers can reuse the account/passwords obtained to enter in other user’s services, such as email, storage providers, an so on.”

Tips to Avoid Web App Attacks

Furthermore, here are some general tips to prevent cyber security attacks:

  • Use HASH – A company should never store user/customer passwords in clear text. The best choice is always to hash them using the currently best standard algorithm. This is the first level of security and best practice that may mitigate internal information leakage (for the user privacy point of view) or any kind of password reuse attack.
  • Strong Security Policy – A company should also have a strong security policy for the entire IT infrastructure. Generally customers services should avoid automated processes of information gathering or any kind of brute force attack. This can be done setting up captcha or two factor authentication (or similar systems) and appropriate auditing activities (especially for suspicious one). Company internal services and IT systems should also be properly protected and monitored to prevent unauthorized intrusion or any kind of data leakage. This can be done obviously relying on IT security experts to setup and use the best technologies and the best security policies.
  • Security Awareness Training  -However training is another very important point. A company should ensure all employees know and understand why it is important for them to keep access to the company data/system secure, because attackers always choose the weakest (and easiest) starting point.

Web Application Penetration Testing (WAPT) FREE Trial

WAPT If you want to learn how to find bugs in web applications, then start for FREE with our Web Application Penetration Testing course and understand the techniques in web app pentesting. Start here.

 

————————————————–


andrea_tarquiniAndrea Tarquini is an IT Security researcher and software analyst/developer at eLearnSecurity. He is the main developer of JustCryptIt and IzzieCloud. He is also the author of ‘Ruby for Penetration testing and Metasploit’ section of Penetration Testing Course Professional.

Linkedin: https://www.linkedin.com/in/andreatarquini

 

Tags: , , ,

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Go to top of page