Much like the iCloud “hack” story of last summer, it appears that another vault of sensitive details had been accessed because of users reusing the same credentials over and over for different services.
In the case of the British Airways incident, a third party “using information obtained elsewhere on the internet, via an automated process, to try to gain access”. So who wants to put money on this being done by a brute force password tool? BA said that the login attempt was successful, it spotted it and reset all points gained to zero.
Despite the headlines, users never learn. Is this a case for better education, better tools or for demands on better authentication systems from the company? We asked some industry experts.
Jovi Umawing, malware intelligence analyst at Malwarebytes
“This hack poses serious concerns for those affected and the lack of information provided by British Airways only makes it more difficult for Executive Club members to identify and lockdown any weaknesses in their online accounts. BA frequent flyers who think they may be affected are advised to follow the company’s lead and change their account passwords.
“Given the suggestion that details from another source might have been used in this attack, it might be a good idea to start using a password manager and ensure sensitive login information isn’t being shared between sites.”
Rob Lay, solutions architect for enterprise and cyber security at Fujitsu UK & Ireland
“We are now hearing of high profile security breaches on an almost daily basis. The news that British Airways frequent flyer details were compromised again raises this issue of data security to the forefront of the business agenda, with these breaches now becoming commonplace for both large and smaller organisations.
“The breach affected thousands of accounts and despite no personal data being accessed, customers were impacted as a freeze was put on all accounts. This loss of regular functionality can have huge ongoing consequences for businesses ranging from impacted reputation to customers taking their business to a competitor.”
Richard Brown, director EMEA channels and alliances at Arbor Networks
“This hack on British Airways is the latest in a long line of cyber attacks we have seen over the last six months. The fact that hackers were able to identify the company’s weakness is testament to the fact that companies need to be doing more as the industry continues to evolve.
“In today’s threat landscape, organisations need to be vigilant and ensure they have the right security in place to deal with hackers. What’s becoming essential, especially for larger organisations and high-value targets, is having the ability to detect and contain threats quickly – even when they make it past the perimeter defences. This isn’t all about technology – although having the right tools helps – people and process are key in this.”
TK Keanini, CTO of Lancope
“Our lives grow more digitally connected and so do businesses. Companies must perform threat modeling on their partners and ask the question: if this partner was breached, what exposure do I have and what exposure do we share?
“These are questions to ask as you are provisioning this relationship because that is the right time to have this conversation. While you are at it, ask yourself: if you were compromised, how many of your partners would be at risk?”
Ross Brewer, vice president and managing director for international markets at LogRhythm
“Cyber criminals are becoming increasingly determined to access user credentials, with advanced automated tools that are designed to seek and steal usernames and passwords with minimal effort. As such, we hear time and time again about breaches stemming from hackers using these smash and grab techniques to build a database of credentials and then effectively ‘trying every key in the lock’ until it opens.
“No matter how watertight a business believes its IT security position to be, there will always be a weak point just waiting to be exploited by cybercriminals and these are often linked to password security. Organisations must, without exception, be continually monitoring their systems for any anomalous activity that could indicate a breach – particularly those with a strong emphasis on customer service, like British Airways.
“This protective monitoring will shorten the time to detect and respond to security incidents, leading to reduced fallout for their customers. On that note, British Airways should be commended for identifying the breach and taking the proactive step of locking down all user accounts before any real damage can be done.”
Grayson Milbourne, security intelligence director for Webroot
“The key security takeaway from this incident is the fact that as a company, your customers’ security information often doesn’t exist in a bubble. Passwords are frequently saved to browsers or documents, and are repeatedly reused by customers across separate online accounts. Companies must anticipate this vulnerability by implementing more rigorous security processes, making it harder for hackers to access their customers’ accounts.
“Best practice for mitigating this kind of attack is the implementation of a two-factor authentication process that requires the user to verify their identity when logging in from a new device or location. This extra security hurdle can effectively stop a hacker in their tracks, while alerting the user to the unauthorised attempt to access their account and prompting them to change their password.”