Exclusive Just weeks before being hacked in late August, British Airways’ parent IAG was planning to outsource its cybersecurity to IBM, admitting it needed a “group-wide strategic and proactive approach” to counter threats.
The Register has learned, from a leaked internal memo, that BA was consulting its staffers about the move. According to the missive, the airline expected to transfer the majority of its cybersecurity functions to IBM with the exception of its security operations services, which will remain part of its own function.
BA’s management committee approved the outsourcing scheme prior to putting it out to consultation with workers and unions at the beginning of August. “We recognise and appreciate this proposal will mean a period of uncertainty and concern for colleagues working in the Cyber Security function,” John Hamilton, group IT service effectiveness manager, wrote in the memo.
An infosec expert with experience in the aviation industry told El Reg: “You don’t outsource something that is working well.” The airline may have proposing outsourcing either because it is “struggling to get enough high-quality staff or because the board wanted to cut costs,” we were told.
BA has a bad reputation of cost-cutting at the moment, he added.
In any case, British Airways, at the start of August, felt it needed outside help to secure its computer systems.
The security breach
Fast-forward five weeks to Thursday, 6 September, and BA was obliged to open an investigation into the theft of customer information from its website and mobile app servers by hackers, as we reported yesterday.
The personal and financial info of travellers booking flights or other services through British Airways was potentially in the hands of cyber-crooks for 15 days between August 21 and September 5. Around 380,000 credit and debit cards were potentially compromised as a result of the intrusion, making it one of the biggest single UK payment card security blunders in UK history. Compromised info includes card numbers and CVV codes, BA added on Friday.
Neither travel nor passport details are thought to have been exposed by the hack, which has been reported to both the police and UK data protection regulators.
Our aviation-experienced infosec source also offered some informed speculation on how the cyber-break-in unfolded.
“This will probably come down to either not having an update tested before it goes live, cost-cutting resulting in the site not being tested as often as it should have been or lower quality support (aka not patching the servers),” he said.
“Given the specific time window of stolen data, I suspect a third party web server component compromise. It would be hard for the security team to spot the change in the user’s web experience especially if they have limited influence in the organisation as developers and web admins will not follow security processes,” he added.
Our expert concluded: “Given the rumours of outsourcing security, the team are probably not as effective as they could be (or they are swamped) with other problems.”
What happened this week?
How exactly the crooks broke into BA’s network remains unclear, publicly at least. BA chief exec Alex Cruz appeared on BBC Radio 4’s flagship Today programme on Friday morning to say that the airline’s partners alerted it to the intrusion on Wednesday night.
“There was a very sophisticated and malicious criminal attack on our website,” Cruz said. “We have a network of partners that are monitoring continuously what happens to websites across the world. We got a signal from one of those partners.”
Asked to clarify, Cruz said it was BA’s own systems that alerted it to problems rather than those of an external security researcher, bank or financial service provider. Cruz sidestepped several questions on how the criminals broke in.
BA is offering to reimburse customers for any financial losses attributable to the security breach. Most will likely be covered by credit card indemnification against fraud anyway. The bigger problem, for the airline, is what financial sanctions it might receive from data privacy watchdogs at the ICO under the tougher regime introduced when the EU’s General Data Protection Regulation was brought into effect in May this year.
El Reg asked BA to comment on the rationale for its planned outsourcing and how many jobs will be involved. We also flagged up sections of BA’s internal memo that warned that the outsourcing “proposal will mean a period of uncertainty and concern for colleagues working in the cyber security function.”
We’re yet to hear back but we’ll update this story as and when we hear more. El Reg also contacted IBM, so far without success, and industry experts with a request to comment on the security breach and the proposed outsourcing plan.
An spokeswoman for the UK’s information privacy watchdog, the ICO, told us: ”British Airways has made us aware of an incident and we are making enquiries.”