More Problems For British Airways – Now An e-ticketing Vulnerability Has Been Discovered

More bad news for British Airways, after its ticket system left hundreds of people stranded in airports due to IT failures last week, now a security bug has been discovered in its e-ticketing system, which has the potential to expose passengers’ data, including flight booking details and personal information. The researchers have estimated 2.5 million connections were made to affected British Airways domains over the past six months, so it could have a significant potential impact. More information about the story can be found here.


EXPERTS COMMENTS
Felix Rosbach, Product Manager,  comforte AG
August 15, 2019
To find a balance between fast adoption and data protection can be a tough job.
This is a classic example for taking user experience over cyber-security. Especially in the online world, consumers are requesting new innovative, streamlined ways to manage their accounts and bookings and companies have to be on-par with their demands to retain market share. To find a balance between fast adoption and data protection can be a tough job. While it’s always easier to implement new ....
[Read More >>]
Saryu Nayyar, CEO,  Gurucul
August 15, 2019
This incident, so soon after the devastating data breach that British Airlines recently suffered.
This incident, so soon after the devastating data breach that British Airlines recently suffered, shows that many companies are still not getting the cybersecurity basics right. To protect their data, companies should - at the least - encrypt all sensitive data and the keys to decrypt the data should not be stored with the solution or host database itself. Organisations should also consider modern ....
[Read More >>]
Javvad Malik, Security Awareness Advocate,  KnowBe4
August 15, 2019
Sending unencrypted emails with authentication data in the URL is certainly far from good security practice.
Sending unencrypted emails with authentication data in the URL is certainly far from good security practice and, given the recent British Airways fines proposed by the ICO, it does not paint a good picture. However, in order for this attack to be successful, the attacker needs to be connected to the same WiFi network as the victim in order to intercept the email and view the booking. Because of ....
[Read More >>]
Hugo van den Toorn, Manager, Offensive Security,  Outpost24
August 15, 2019
This is a classic example of what is described as Sensitive Data Exposure in the OWASP top ten.
This is a classic example of what is described as Sensitive Data Exposure in the OWASP top ten. It is not just at risk of being captured in-transit, but it could well be that this data is also stored in plain text on systems that process the request. Meaning the data could have been stored in for example logs, waiting for an attacker to find it. ....
[Read More >>]
Cesar Cerrudo, CTO ,  IOActive
August 13, 2019
Employing an experienced third party, one that can think like a hacker, will help to ensure any such vulnerabilities are discovered in the test phase.
When building a customer facing application, the focus is too often on usability, scalability and performance, and security can be a bit of an afterthought. Yet what is forgotten is just how sensitive the data being stored is – after all, your passport is one of, if not THE most, expensive and trusted government documents you own. Yet while it is common practice for airlines to use third party p ....
[Read More >>]

If you are an expert on this topic:

Submit Your Expert Comments


In this article