Ski Club 2.0 Home
Snow Reports
FAQFAQ

Mail for help.Help!!

Log in to snowHeads to make it MUCH better!
Username:-
 Password:
Remember me:
durr, I forgot...
Or Register
(to be a proper snow-head, all official-like!)

British Airways Data Theft

 Poster: A snowHead
Poster: A snowHead
@mgrolf, I've noticed one dodgy transaction on a stored card. I haven't booked with BA in about a year, but the night before this was announced I spotted a strange transaction and called AMEX straight away, who were oddly relaxed (and even more oddly wanted to wait, very unusual as they normally spot these before I do)!

So in short I cancelled the card and already have the new one in my possession!
snow conditions     
 Obviously A snowHead isn't a real person
Obviously A snowHead isn't a real person
I booked BA flights in the key period but haven't noticed anything abnormal on my account. Santander now has a banner when I log on to my banking basically saying they're aware of the breach but don't do anything yet.
snow report     
 Well, the person's real but it's just a made up name, see?
Well, the person's real but it's just a made up name, see?
Quote:

Hmm. Asking you to do anything time limited, with rewards for acting quickly or penalties for non-response? Tread carefully as the spam/scam emails quickly follow publicised breaches...



This.

If you are concerned, the best action is to contact your card issuer and let them cancel/reissue your card. Your issuer can mark your account to be watched for evidence of suspect transactions.

As of about 11 o'clock this morning, Visa were apologising to us that they didn't yet have the list of all affected cards from BA and it's acquirer. Usually, and in the recent cases of Ticketmaster and Dixon's, we get the list of affected cards before the incident hits the news and can begin identifying affected customers before they hear about it on the news.
ski holidays     
 You need to Login to know who's really who.
You need to Login to know who's really who.
jedster wrote:
You know I normally don't leave CC details on a website. Bought flights recently from BA and they made a point of telling me that it was safer to leave my details in their system than enter it each time. The absolute morons.


Yes, I too was asked but declined. It is something I rarely do.
ski holidays     
 Anyway, snowHeads is much more fun if you do.
Anyway, snowHeads is much more fun if you do.
[quote="tomj"][quote]


If you are concerned, the best action is to contact your card issuer and let them cancel/reissue your card. Your issuer can mark your account to be watched for evidence of suspect transactions.

I asked Lloyds to flag my card and got a negative response. Not something they do. Gotta watch my account myself!
latest report     
 You'll need to Register first of course.
You'll need to Register first of course.
"Bought flights recently from BA and they made a point of telling me that it was safer to leave my details in their system than enter it each time. The absolute morons.

Hate to say it, but they were correct. It appears that only newly-input data was hacked.
ski holidays     
 Then you can post your own questions or snow reports...
Then you can post your own questions or snow reports...
@mitcva,
Quote:

"Bought flights recently from BA and they made a point of telling me that it was safer to leave my details in their system than enter it each time. The absolute morons.

Hate to say it, but they were correct. It appears that only newly-input data was hacked.


Not quite, I haven't bought flights for around a year with BA and mine appears to have been compromised Sad
ski holidays     
 After all it is free Go on u know u want to!
After all it is free Go on u know u want to!
@mitcva,
Quote:

It appears that only newly-input data was hacked.
No, mine was already input (or, at least, I got the email from BA implying that mine was at risk).
ski holidays     
 You'll get to see more forums and be part of the best ski club on the net.
You'll get to see more forums and be part of the best ski club on the net.
I had the warning email. Twice. I had paid a balance of a BA holiday booking in the time period quoted. It was using a stored card, so only thing entered was CVV number. Have rung bank and they ( RBS) just told me to monitor. I think it will be a bit yet until we know what really got compromised.
latest report     
 Ski the Net with snowHeads
Ski the Net with snowHeads
New more up to date info from BA.

https://www.britishairways.com/en-gb/information/incident/data-theft/latest-information?dr=&dt=British%20Airways&tier=&scheme=&logintype=public&audience=travel&CUSTSEG=&GGLMember=&ban=%7C%7CP1M%7C%7C%7C%7C%7C%7C%7CHOME%7C%7C%7C%7CL4%7C%7C%7C%7Canonymous-inspiration%7C%7C%7C&KMtag=c&KMver=1.0&clickpage=HOME
snow conditions     
 snowHeads are a friendly bunch.
snowHeads are a friendly bunch.
Interesting to note that if you used Apple Pay to make your booking via the BA app your data was not compromised. Lesson for the future.
ski holidays     
 And love to help out and answer questions and of course, read each other's snow reports.
And love to help out and answer questions and of course, read each other's snow reports.
rob@rar wrote:
Interesting to note that if you used Apple Pay to make your booking via the BA app your data was not compromised. Lesson for the future.


Only because the hackers didn't get to it this time.

PayPal accounts are also ok, but address details may have been lost.

No reason to presume Apple Pay would be any safer in another event.
snow report     
 So if you're just off somewhere snowy come back and post a snow report of your own and we'll all love you very much
So if you're just off somewhere snowy come back and post a snow report of your own and we'll all love you very much
nelly0168 wrote:
No reason to presume Apple Pay would be any safer in another event.
I'm no expert, but I thought that Apple Pay payments (same for Google Pay?) replaced credit card information with a one-time token, so even if that token was intercepted it wouldn't be any use.
snow conditions     
 You know it makes sense.
You know it makes sense.
Yeah apple pay uses tokens instead, no card details are transmitted.
ski holidays     
 Otherwise you'll just go on seeing the one name:
Otherwise you'll just go on seeing the one name:
rob@rar wrote:
nelly0168 wrote:
No reason to presume Apple Pay would be any safer in another event.
I'm no expert, but I thought that Apple Pay payments (same for Google Pay?) replaced credit card information with a one-time token, so even if that token was intercepted it wouldn't be any use.


I have to confess, I knew nowt about Apple / Google Pay until your post - had a good look last night and I retract what I said.

I have now set up my google pay account and will use it soon - cheers !
ski holidays     
 Poster: A snowHead
Poster: A snowHead
How does Google Pay - at the same time - issue tokens and give you the ability to use your phone as a touch card? Puzzled
snow conditions     
 Obviously A snowHead isn't a real person
Obviously A snowHead isn't a real person
Seems a few weeks before the hack started, BA had informed their Cyber security teams that the majority of their roles were being outsourced to IBM.

So either their CySec team wasn't up to snuff, or was so swamped with issues that this slipped through the net... Or perhaps its a disgruntled tech turned from white hat to black hat.
latest report     
 Well, the person's real but it's just a made up name, see?
Well, the person's real but it's just a made up name, see?
@Richard_Sideways, discussing this very fact round the lunch table yesterday, as BIL works for BA. As he booked flights through staff travel and paid airport taxes for them, he has also been affected by the hack. Someone did venture this theory. As he said 'you may think so, I couldn't possibly comment'.
snow conditions     
 You need to Login to know who's really who.
You need to Login to know who's really who.
jedster wrote:
You know I normally don't leave CC details on a website. Bought flights recently from BA and they made a point of telling me that it was safer to leave my details in their system than enter it each time. The absolute morons.


There's no need to call people morons. It appears that the card details have been leaked while they were being entered into BA website. Customers who have previously stored their card details with BA don't need to re-enter them, and therefore would not have had their card details compromised by this breach.

If the attackers had instead used a different attach and targeted stored card details then the opposite would be true (stored details would have been compromised, non-stored cards might have been fine). It's hard to say which of storing or not storing you details is more secure because they are vulnerable to different attacks, and you don't know how good the defences are against each attack.
snow report     
 Anyway, snowHeads is much more fun if you do.
Anyway, snowHeads is much more fun if you do.
@rob@rar,

have you thought about switching to SPG amex?
Now the merger with Marriott, the travel package offers might suit you
7 nights accommodation + 55k airmiles start at 255,000 points.
You collect 3 points per £1 on the card.

Another offer is 5 reward nights for the price of 4.
Off to Austria in December. 5 nights for 60,000 points. Flights are £65 each. Parking at the airport £40. Cheap trip!
ski holidays     
 You'll need to Register first of course.
You'll need to Register first of course.
Mr.Egg wrote:
@rob@rar,

have you thought about switching to SPG amex?
Now the merger with Marriott, the travel package offers might suit you
7 nights accommodation + 55k airmiles start at 255,000 points.
You collect 3 points per £1 on the card.

Another offer is 5 reward nights for the price of 4.
Off to Austria in December. 5 nights for 60,000 points. Flights are £65 each. Parking at the airport £40. Cheap trip!
At the moment the BA-Amex card works well for us. I have looked at the SPG version, but the BA-Amex Premium Plus is a better fit with how we earn Avios. We get 1.5 Avios per £ spent, and a Companion Voucher (valid for 2 years) issued when we cross the £10K spending threshold. Add in some Avios points from our Tesco Clubcard and we have enough Avios to book business class or first class flights each summer, usually to the USA. I've just booked for next summer, First Class to LA, Club World back from San Francisco. Doesn't involve much of a change in our spending behaviour and makes the start and end of our holiday a bit more luxurious just for the cost of the taxes (typically half the price of an economy ticket).
ski holidays     
 Then you can post your own questions or snow reports...
Then you can post your own questions or snow reports...
Hurtle wrote:
How does Google Pay - at the same time - issue tokens and give you the ability to use your phone as a touch card? Puzzled


When you hold your phone over the merchant's terminal it knows that you're using your phone, so it can treat the transaction slightly differently. Your phone doesn't pass on your actual card details, it creates a virtual card and passes that on instead. If the merchant is compromised, then it is the virtual card that gets leaked, but it can't be used by the hackers.
latest report     
 After all it is free Go on u know u want to!
After all it is free Go on u know u want to!
@thelem, thank you.
ski holidays     
 You'll get to see more forums and be part of the best ski club on the net.
You'll get to see more forums and be part of the best ski club on the net.
@rob@rar,

its worth checking - even if its just a case of hitting the easy bonus targets.
Got 2 nights in SF Westin Central Square on reward rooms & paid for the other 2.
Prices was different on all 4 nights! So the 2 most expensive nights was paid for by points & saved us over £500 + a free room upgrade (because of the card) & breakfast through status.
(yes you can save more on miles - but this was purely done on just hitting the bonus targets).

30,000 points + an extra 9 if you recommend yourself + 1000 to hit the spend limit = 40k points. (always self refer - you can choose a different card if you wish!)
Wash & repeat for the other half = 80k points. Enough for 1-3 nights depending on hotel of choice!


Im already sitting on 200k avios with no plans to use them for a while! Will start card recycling soon. Ive not had BA for a while & still a few months to wait before I recycle for gold bonus again.
snow conditions     
 Ski the Net with snowHeads
Ski the Net with snowHeads
If youíre concerned about entering credit card details Revolut (only premium at the moment I believe), allows you to generate a disposable virtual card. Every time you use it the card number gets binned and a new one is generated, so anyone intercepting your card details canít use them.
snow conditions     
 snowHeads are a friendly bunch.
snowHeads are a friendly bunch.
Mr.Egg wrote:
its worth checking - even if its just a case of hitting the easy bonus targets.
Got 2 nights in SF Westin Central Square on reward rooms & paid for the other 2.
Prices was different on all 4 nights! So the 2 most expensive nights was paid for by points & saved us over £500 + a free room upgrade (because of the card) & breakfast through status.
(yes you can save more on miles - but this was purely done on just hitting the bonus targets).

30,000 points + an extra 9 if you recommend yourself + 1000 to hit the spend limit = 40k points. (always self refer - you can choose a different card if you wish!)
Wash & repeat for the other half = 80k points. Enough for 1-3 nights depending on hotel of choice!
That doesn't work for us. Not much interested in getting free hotel nights. We need to have a card which offers a companion voucher as we normally save 100,000 to 150,000 Avios per year which isn't enough for two business class tickets for our summer holiday. If it's Avios you're interested in to use for flights the BA-Amex card is the best option right now.
snow report     
 And love to help out and answer questions and of course, read each other's snow reports.
And love to help out and answer questions and of course, read each other's snow reports.
rob@rar wrote:
Mr.Egg wrote:
its worth checking - even if its just a case of hitting the easy bonus targets.
Got 2 nights in SF Westin Central Square on reward rooms & paid for the other 2.
Prices was different on all 4 nights! So the 2 most expensive nights was paid for by points & saved us over £500 + a free room upgrade (because of the card) & breakfast through status.
(yes you can save more on miles - but this was purely done on just hitting the bonus targets).

30,000 points + an extra 9 if you recommend yourself + 1000 to hit the spend limit = 40k points. (always self refer - you can choose a different card if you wish!)
Wash & repeat for the other half = 80k points. Enough for 1-3 nights depending on hotel of choice!
That doesn't work for us. Not much interested in getting free hotel nights. We need to have a card which offers a companion voucher as we normally save 100,000 to 150,000 Avios per year which isn't enough for two business class tickets for our summer holiday. If it's Avios you're interested in to use for flights the BA-Amex card is the best option right now.


just pointing out some options. I flip my cards regulary between the various Amex on offer & hotel/airline cards (you can hold 2x Amex cards at once). Easy to trigger bonuses, etc.
fwiw virgin atlantic CC also now does 2-4-1 vouchers. Can sometimes be cheaper in miles & taxes.
ski holidays     
 So if you're just off somewhere snowy come back and post a snow report of your own and we'll all love you very much
So if you're just off somewhere snowy come back and post a snow report of your own and we'll all love you very much
Hells Bells wrote:
@Richard_Sideways, discussing this very fact round the lunch table yesterday, as BIL works for BA. As he booked flights through staff travel and paid airport taxes for them, he has also been affected by the hack. Someone did venture this theory. As he said 'you may think so, I couldn't possibly comment'.


When I became aware of the B.A issue v early on, I mentioned it to cabin crew offspring immediately. She said she was already aware and that staff travel wasn't affected (she has booked me on a trip coming up and done it within the stated period).

Might get her to revisit that statement in light of above as it wouldn't surprise me if she got it wrong. I might be doing her a disservice mind.
snow report     
 You know it makes sense.
You know it makes sense.
Mr.Egg wrote:
fwiw virgin atlantic CC also now does 2-4-1 vouchers. Can sometimes be cheaper in miles & taxes.
I'd like to try Virgin's Upper Class, haven't flown with them for years and years. But I have a legacy conversion rate Tesco -> Avios, so I get a better deal (25% better) if I convert to the BA scheme rather than Virgin. From what I understand, the Virgin companion voucher gives you an additional seat if you pay for one, rather using miles? With BA the companion voucher works if you use Avios to book your seats, so much cheaper than paying for one with Virgin and then getting another for free. I'm also on a legacy rate for the BA-Amex card (£60 rather than £190) because I've been with them for a long time and I have a couple of other Amex cards, so changing from that wouldn't make much sense for me. Appreciate the info, though.
ski holidays     
 Otherwise you'll just go on seeing the one name:
Otherwise you'll just go on seeing the one name:
thelem wrote:
jedster wrote:
You know I normally don't leave CC details on a website. Bought flights recently from BA and they made a point of telling me that it was safer to leave my details in their system than enter it each time. The absolute morons.


There's no need to call people morons. It appears that the card details have been leaked while they were being entered into BA website. Customers who have previously stored their card details with BA don't need to re-enter them, and therefore would not have had their card details compromised by this breach.

If the attackers had instead used a different attach and targeted stored card details then the opposite would be true (stored details would have been compromised, non-stored cards might have been fine). It's hard to say which of storing or not storing you details is more secure because they are vulnerable to different attacks, and you don't know how good the defences are against each attack.

They are morons for claiming it's SAFER to leave card detail in their system! It's extremely unlikely to be any safer!

Unless of course, if they KNEW their company's defense in stored data is excellent but leaves large hole of known vulnerability undefended.
snow conditions     
 Poster: A snowHead
Poster: A snowHead
@Cinsha, BIL (who is in IT) was told otherwise.
ski holidays     
 Obviously A snowHead isn't a real person
Obviously A snowHead isn't a real person
@rob@rar, virgin upper us fab. Lounge is much better at Heathrow...well compared to ba business never been in first class.
ski holidays     
 Well, the person's real but it's just a made up name, see?
Well, the person's real but it's just a made up name, see?
More info on the hack out:

https://www.riskiq.com/blog/labs/magecart-british-airways-breach/
ski holidays     
 You need to Login to know who's really who.
You need to Login to know who's really who.
@Little Martin, wow.

These boys seem to know their stuff.
snow report     
 Anyway, snowHeads is much more fun if you do.
Anyway, snowHeads is much more fun if you do.
interesting for any one affected
https://www.headforpoints.com/2018/09/11/what-caused-the-british-airways-data-breach/
snow conditions     
 You'll need to Register first of course.
You'll need to Register first of course.
@Mr.Egg, yeah, your man there is/was suggesting a token system as mentioned above which is more secure than a direct card transaction but they are a PITA to implement and get adopted by customers who are, as seen above, inherently mistrustful of storing banking details on the ol' interwebs.

@Little Martin, that new info on the breach method and the deep knowledge you'd need to inject it that clearly reeks of insider.
ski holidays     
 Then you can post your own questions or snow reports...
Then you can post your own questions or snow reports...
I'm not convinced it was an insider, I'd have kept the modified date the same if I was doing it to make it less likely to spot in the headers Wink

Still, a bit of code could have notified someone that the checksum had changed on the file, or the file was different, comparing against source control for any recent deployments, surprised someone like BA didn't have this sort of thing in place. This could be running hourly on the server.

I'm interested in seeing what comes out further down the line, I've done quite a bit of infosec studying recently so trying to keep up with what is happening with modern hacking is, err, interesting Wink
snow conditions     
 After all it is free Go on u know u want to!
After all it is free Go on u know u want to!
@Little Martin, I have zero understanding of these things, but Iím shocked that they donít have a way of checking whether their pages have been modified as you suggest. Is that something which is easy to implement?
ski holidays     
 You'll get to see more forums and be part of the best ski club on the net.
You'll get to see more forums and be part of the best ski club on the net.
Well it seems that the state of infsec inside BA was pretty rough and that's before they announced they were being outsourced.
ski holidays     
 Ski the Net with snowHeads
Ski the Net with snowHeads
@rob@rar, from a basic point, it's a hash/checksum of the file compared with a known hash of a file - the known hash could be generated on file deployment, a script would then just look at the files, get the hash and compare it. Notify of any differences. This is basically how some rootkit hunters run on linux, so it wouldn't be that difficult to add the web files in, imho, or script your own code.

Something more complicated could be looking at the differences in the code itself vs a copy of the code held elsewhere - this could be in source control or another dir.

Something like the library file they used in the hack, chances are it wouldn't change that often unless you needed to support a particular feature, so both these methods would have picked this up I would have thought.
snow conditions     



Terms and conditions  Privacy Policy