British Airways has released no technical details on how attackers managed to get 380,000 people’s personal information – including payment card numbers – from their systems. I’ve done some reading, though, and wanted to share my thoughts – and those of the wider ethical-hacking community – on this kind of breach and try to explain, in layman’s terms, how this was possible.
Believe me, hacking a PCI DSS-compliant application is difficult
Sites like British Airways and Ticketmaster have to comply with the PCI DSS (Payment Card Industry Data Security Standard), just like the rest of our clients. If you work with the PCI DSS, you’ll understand what it takes to compromise an application, the cardholder data environment (CDE) and the database where card details are stored encrypted. It’s also worth noting that the card number is not stored with the CVV number (the digits on the back), making it all much more complex.
Hackers targeted Ticketmaster’s third party
Enter: the penetration tester
This kind of breach is a prime example of how vulnerable any organisation is to the wrath of the criminal hacker. Yes, by demonstrating compliance with the PCI DSS’s requirements, you show your customers, stakeholders and competitors that your organisation takes data protection and security seriously, but it’s no good stopping there. To ensure actual security, it’s vital to assess the gaps in your security regularly and test how secure your systems and applications really are. This can easily be done with penetration testing, where an ethical hacker like me pretends to be the criminal hacker and attempts to find weaknesses in your security.
Our team is experienced in infrastructure and web application penetration testing, and can help you take all the necessary actions to protect your cardholder data, so you can be sure that your web applications aren’t vulnerable to the same threats that other, breached organisations have been.