British Airways Frequent Flyer Program Grounded

British Airways recently acknowledged that they suffered a security breach impacting their frequent flyer program. This is yet another security breach to impacted loyalty program systems. Earlier this year both American Airlines and United Airlines suffered security breaches where user accounts were compromised by criminals using stolen account credentials.

Loyalty programs may seem to be unusual targets for criminals as they often don't hold credit card or other financial information. However, what is often overlooked is that not only do loyalty programs contain a large amount of personal data, data which could be used for later spear-phishing or identity theft attacks, the points earned by users can be used to purchase tickets, trips and other rewards. So in effect the points in those accounts has real value.

Late last year Europol conducted an operation which led to the arrest of 118 individuals in 45 different countries. According the International Air Transport Association airlines face over US$1 Billion every year due to fraudulent ticket transactions. While many of these fraudulent transactions are due to compromised credit cards, the use of stolen air miles may also contribute.

A spokesperson for British Airways says the breach impacted

"a small number of frequent-flyer executive club accounts. This appears to have been the result of a third party using information obtained elsewhere on the internet, via an automated process, to try to gain access to some accounts."

The spokesperson also stated that British Airways is not

"aware of any access to any subsequent information pages within accounts, including travel histories or payment-card details."

Affected customers have had their accounts frozen and will be unable to use their reward points until the system is restored to normal.

Reading between the lines from the above British Airways statement it appears the breach was due to log-in credentials gleaned from elsewhere on the Internet and used to log into the British Airways site.  The most likely scenario being the affected frequent flyer club members used the same login credentials across multiple systems. One of those systems was compromised allowing criminals to access any of the other systems which shared those credentials.

While we can lament and scold users for this insecure practise we should not lay all the blame solely at their feet. When I heard about the breach I decided to visit the British Airways site and register for their frequent flyers' club to see how robust their password management was.

Below is the screenshot I got when I tried to use a secure password, one which uses a mixture of upper case and lower case letters, numerals and some special characters.

As you can see the website has rejected my secure password and I have to downgrade the password to one that uses only upper and lower case letters and numerics. Of course, allowing users to employ a secure password still does not protect them should they re-use that secure password across multiple sites. However, it does raise the security bar for that website or system and helps reinforce good security practises amongst users.

Companies and websites that do not employ secure authentication systems simply help promote lax security amongst their users as many will use simple and easy to remember passwords. There are a number of additional measures websites could employ to increase the security of their users' data such as employing geo-location profiling, device profiling for users' systems, or employ a mobile phone based two factor authentication method similar to the ones used by sites such as  Twitter, Facebook, and Gmail.

Breaches like this are also a timely prompt for security officers to review the security of their websites and systems to determine how effective their authentication mechanisms are, particularly any Internet facing system. In addition, its a reminder that if users are reusing passwords across multiple systems it is likely they could be reusing those same passwords on corporate systems too.

These types of breaches are also excellent real life examples to include in security awareness programs as they can personalise the key messages to the users. Many users may be members of various loyally schemes be that for their airlines, hotels, or even shopping. Highlighting how the weak passwords and the re-use of passwords across many systems could lead to them losing their hard earned loyalty points could prompt them to rethink how they manage their passwords. Which in turn should help them practise secure password management in the enterprise.

Good security is not the responsibility of any one party. Rather users, vendors, and companies all need to ensure they take appropriate security measures, otherwise  security will never take off.

Join the CSO newsletter!

Error: Please check your email address.

Tags United AirlinesEuropolamerican airlinessecuritydata breachBritish Airways

More about American AirlinesBillionBritish AirwaysEuropolFacebookTransportUnited Airlines

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Brian Honan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place