back to article Revealed: British Airways was in talks with IBM on outsourcing security just before hack

Just weeks before being hacked in late August, British Airways' parent IAG was planning to outsource its cybersecurity to IBM, admitting it needed a "group-wide strategic and proactive approach" to counter threats. The memo in full Subject: Group IT Cyber Security Update From: John Hamilton Sent: 01 August 2018 13:56 All …

  1. Scott Pedigo
    Facepalm

    Aren't Vendors Supposed To NOT Store The CVV?

    I have a vague memory of reading somewhere that vendors were not supposed to store the CVV, but rather only use it to validate the CC when it was entered. Is that correct? Or do they need to store the CVV to be able to use it every time they charge against the CC when the customer logs in to his/her account and orders ticket on-line?

    1. Gotno iShit Wantno iShit

      Re: Aren't Vendors Supposed To NOT Store The CVV?

      Correct, they should not be stored and there is no indication BA did. This is why most sources suspect this was a live leak, copying the data to a rogue receiver during purchase.

    2. pleb

      Re: Aren't Vendors Supposed To NOT Store The CVV?

      You are correct. Hence the idea that the hack exfiltrated live information (like a key-logger). Also ties in with BA giving exact to-the-minute timings for the start and end of the vulnerability.

    3. streaky

      Re: Aren't Vendors Supposed To NOT Store The CVV?

      I believe BA explicitly stated that they don't although it isn't worth the effort going to look for a citation for that. All fingers IMHO point to the third party garbage on your payment pages meme that's been doing the rounds and almost nobody has learnt from. No confirmation of that but it strongly feels like it.

  2. jms222

    So presumably the server was running dodgy code. They need to look at whether this was preventable or detectable.

    1. Anonymous Coward
      Anonymous Coward

      Its the 3rd-Party Code that always burns you

      "websites that embed code from third-party suppliers - it's known as a supply chain attack. Third parties may supply code to run payment authorisation, present ads or allow users to log into external services, for example."

      https://www.bbc.co.uk/news/technology-45446529

      British Airways breach: How did hackers get in?

      1. Tom Paine

        Re: Its the 3rd-Party Code that always burns you

        That's not what a supply chain attack is, Professor Alan Woodward.

        1. streaky

          Re: Its the 3rd-Party Code that always burns you

          Alan Woodward doesn't have a clue what he's talking about, I've tried to engage him in the arena of getting him to stop talking nonsense multiple times. The BBC should stop using him. Not sure what he's a professor in but I hope it isn't compsci.

          1. DCdave

            Re: Its the 3rd-Party Code that always burns you

            https://www.surrey.ac.uk/cs/people/alan_woodward/

            Professor in physics and engineering. What strikes me most, though, about this bio is the following sentence:

            "Although Alan has been at the leading edge of technology development for many years, he is primarily a particularly good communicator."

            Which rather sounds like they are saying he's especially good at BS.

            1. streaky

              Re: Its the 3rd-Party Code that always burns you

              Professor in physics and engineering

              Ah, well that explains it.

              1. streaky
                Mushroom

                Re: Its the 3rd-Party Code that always burns you

                Oh dear Alan Woodward has a 'reg account.

    2. Dom De Vitto

      Obviously everything is preventable.

      According to their own statement, they detected it themselves.

      1. Anonymous Coward
        Anonymous Coward

        If they detected this themselves, why did it take so long ?

  3. Anonymous Coward
    Anonymous Coward

    When your corporate slogan is at odds with reality

    'The World's favorite airline'

    https://www.bbc.co.uk/news/uk-44546400

    British Airways cancels 2,000 'incorrectly' cheap tickets

    1. Anonymous Coward
      Anonymous Coward

      Re: When your corporate slogan is at odds with reality

      The world's favourite.

      Anonymous for obvious reasons.

  4. K

    IBM... robbers in tweed suits.. (or at least the salesmen are)

    Dixons Carephone did exactly this, got stung for a princely sum, along with a contract that favouritises IBM for everything, including limiting Dixon's ability to bring in new suppliers (IBM get first dibs on everything!).

    The driver behind this was Dixon's assumed (and this is direct from the signatory of the contract) that by outsourcing and offloading responsibility, it would shield them from reputational damage if a breach occurred and allow them to refute accusations that they don't invest in security.

    Fat lot of good it did them.. now, with GDPR, companies can no longer hide behind outsourcing (Though, some will still try)..

    1. Anonymous Coward
      Anonymous Coward

      Re: IBM... robbers in tweed suits.. (or at least the salesmen are)

      >>> IBM... robbers in tweed suits.. (or at least the salesmen are)

      ... not sure that any IBM sales droid would ever be seen dead or alive in a tweed suit!

      However, the point about IBM getting first dibs on sourcing kit and software rings true - based on several years in the SO business (admittedly a number of years ago) where it was clear in a number of situations that IBM's offering clearly wasn't 'best of breed' but was forced down the architect or TSM's throat as the only possible option as running multiple systems by the back end (Offshore) teams might have cost a few rupees^W dollars more.

      Many's the time during solution review and risk assessment long hours were spent examining (and arguing over) plans to swap out customer's existing and perfectly adequate stuff and impose our own stuff. What was frequently worse was that this part of the Transformation programme often then ran massively late and over budget and we had yet another troubled contract.

      AC for obvious reasons ... and no, I didn't work on or QA/DA Dixons Carphone (or if I did it was only minor growth business on the CPW previous contract- memory fades over the years since taking the redundancy money and running!)

  5. Anonymous Coward
    Terminator

    BT was going to outsource security says leaked memo.

    I call baloney on this leaked internal memo, a retrospective attempt by BT executives to put a positive spin on the hack. I think the tell was where the memo mentions consulting their own IT staff. Besides outsourcing security has to be the dumbest idea ever. Security has to be baked in from the design stage and not implimented from a call center in India.

    ps: nobody who wants to be taken seriously ever uses cyber in a sentence.

    1. Captain Badmouth

      Re: BT was going to outsource security says leaked memo.

      BA?

      1. GrapeBunch

        Re: BT was going to outsource security says leaked memo.

        BA?

        No, Bt. Bacillus thuringiensis, effectively stamps out bugs. Oops.

    2. Doctor Syntax Silver badge

      Re: BT was going to outsource security says leaked memo.

      "nobody who wants to be taken seriously ever uses cyber in a sentence."

      Lots of people who want to be taken seriously do that. It's just that they don't know any better.

      1. Tom Paine

        Re: BT was going to outsource security says leaked memo.

        Or they're communicating with non-IT, non-security people. Hate the break this to you, but the "cyber" boat sailed some years back.

        When I first read El Reg people were still complaining about the use of "hack" / "hacker" to mean malicious activity.

    3. steviebuk Silver badge

      Re: BT was going to outsource security says leaked memo.

      A director or exec would use cyber. They love buzz words as they are mostly dicks and will never admit they don't know what they are fucking talking about.

      1. Version 1.0 Silver badge

        Re: BT was going to outsource security says leaked memo.

        Have you never sat in a corporate meeting with a buzzword bingo card? CYBER .... and I'm a winner!

        1. Kientha

          Re: BT was going to outsource security says leaked memo.

          Playing buzzword bingo was the only thing that made corporate meetings bearable. There's only so many times you can say "That's not how it works" before you just give up and know they won't be able to work out you've done things differently. I still shudder whenever someone talks about the cloud or AI. I blame the salespeople.

  6. Anonymous Coward
    Anonymous Coward

    British Airways - The TSB of Airlines:

    #1. British Airways was forced to apologise today after the credit card details of hundreds of thousands of its customers were stolen over a two-week period in the worst ever attack on its website and app.

    #2. The attack came 15 months after the carrier suffered a massive computer system failure at London's Heathrow airport, which stranded 75,000 customers over a holiday weekend. After the computer system failure in May 2017, BA said it would take steps to ensure such an incident never happened again.

    #3. But in July it was forced to cancel and delay flights out of the same airport due to problems with a supplier's IT systems.

    ===================

    https://www.rte.ie/news/business/2018/0907/992184-ba-data-breach/

  7. Anonymous Coward
    Anonymous Coward

    As a core responsibility, we yield that to others

    Misery loves company (for a healthy fee), BA welcomes new blame buddy, IBM.

  8. Doctor Syntax Silver badge

    "BA has a bad reputation of cost-cutting at the moment, he added."

    How much cost-cutting like this can they afford?

  9. Anonymous Coward
    Anonymous Coward

    No, you can't have a maintenance window. Yes this web page update is going live on Tuesday and no we're not following change lead times because marketing has already got the creative ready to run. No we don't have people who can UAT the patches in the test environment this week.

    Take your pick, probably all the above, it's what customers do all the time, then they act surprised when there's a breach.

  10. Anonymous Coward
    Anonymous Coward

    > The bigger problem, for the airline, is what financial sanctions it might receive from data privacy watchdogs at the ICO

    I would have thought the PCI folk might not be exuding happiness either.

    1. Anonymous Coward
      Anonymous Coward

      What have the PCI folks ever done for Jo Public?

      "I would have thought the PCI folk might not be exuding happiness either."

      You might have thought that.

      Can you remind readers of any occasions where the PCI folks have taken effective sanctions against incompetent merchants/payment processors/etc ?

      Or should card users be looking at using one of the disposable one-time-use card providers (whose names I forget, but the concept looks more and more interesting by the day)?

      1. katrinab Silver badge

        Re: What have the PCI folks ever done for Jo Public?

        Don't you need to have the credit card you paid with when you turn up at the airport?

        1. Neil Spellings

          Re: What have the PCI folks ever done for Jo Public?

          No, I've never been asked for this, although I always check-in online.

      2. Neil Spellings

        Re: What have the PCI folks ever done for Jo Public?

        There are several, but I use Revolut app to create one-time-use Credit card numbers for online payments.

  11. Herby

    Why couldn't they hack???

    The prices of the tickets. That might make them a little bit more concerned.

    Maybe "discount fares for all" might be a good marketing tactic. Or as someone (salesman in a company I worked at) confirmed as a good idea: "Lose a little on each one, but make it up in volume".

  12. steviebuk Silver badge

    It used to be...

    ...the worlds fav airline. It hasn't been for ages.

    We all know going with IBM probably wouldn't of helped. Doesn't appear to have stopped TSB from going offline again all weekend.

    I'm not saying this is the case but telling a load of your security staff "we need to spend more on security but we're gonna outsource you." Knowing full well the outsource company will then prob make them redundant. Doesn't do much for morale.

    I wonder if there is the chance the security team then thought "we've been telling you for ages you need to spend more on security as we're under funded but you've never listened. Now you're outsourcing us and no doubt we'll be made redundant so fuck it. We'll just do as little as we can get away with but still be paid."

    I wonder.

    1. Tom 7

      Re: It used to be...

      Or perhaps the problem is going to a company to discuss outsourcing your security and giving them enough details to make it worth their while to do some outsourcing themselves to ensure your motive to outsource is enhanced. Possibly.

    2. Anonymous Coward
      Anonymous Coward

      Re: It used to be...

      "...the worlds fav airline. It hasn't been for ages."

      Yep.. The wife refuses to fly them these days, on a trip to Turin in May, they cancelled her outbound flight, thankfully booked her onto a slight later one. But then the return flight got cancelled, they had a flight the following morning, but refused to put her on it, as they only had 1st class seating left!

      For me, they dropped onto my sh*t list when they introduced the new Priority boarding earlier this year, with ranks from 1 to 5!

      1. David Hall 1

        Re: It used to be...

        BA don't have first class on their route to Turin.

        Or not, at least, since before I was born (early 80s!)

        1. Richard 12 Silver badge

          Re: It used to be...

          There's a Business class. The seats are bigger, there's a little table between them instead of another seat and you get served tea and a biscuit.

          And they wonder why nobody ever buys those tickets.

          1. Anonymous Coward
            Anonymous Coward

            Re: It used to be...

            >There's a Business class. The seats are bigger, there's a little table between them instead of another seat and you get served tea and a biscuit.

            Business class on *any* airline for shorthaul European flight is pointless. But BA do a worse job of it than most. BA shorthaul business class is vaguely disguised economy, the seats are identical, just there isn't a someone in the middle.

            As for mid-haul/ong-haul business on BA. Its dire. They lost that one long time ago, mostly to the Gulf carriers, but also to some semi-decent European offerings. Cruz just continued to make it worse for BA by carrying on cutting, even for premium passengers.

            1. Danny 14

              Re: It used to be...

              I rather like some BA routes. We book the weekend BA flights out of Scottish airports semi regularly (as in the same 5 weekends a year). Granted they are chartered but use the london city 190 planes and are quite cheap (we usually pay about 100 return with luggage). A nice way to hop to the balearics for some sun.

              since they are 190s the checkin in easy (only 90 passengers top), baggage is quicker and the seats are larger.

              1. defiler

                Re: It used to be...

                london city 190 planes

                Embraer. They're Brazilian, which terrified me because I've seen how bad Brazilian manufacturing could fuck up a bomb-proof design like the Honda CG125. However, they're nice planes. I like them one EDI<->LCY route. It's about the only route I fly BA on.

  13. Anonymous Coward
    Anonymous Coward

    I’m sure the BA management will just use the incident as justification for its new IBM outsourcing deal. The problem they have now is different IT functions are outsourced to different providers, this potentially increases complexity and therefore the potential attack surface. The thing is as soon as you start to outsource bits and bobs your workforce assumes that they are next and recruitment becomes more difficult. It’s something that seems obvious from the coal face but when you live in your ivory tower it’s not necessarily recognised. In IT I have never heard of a time where an outsourced department improves anything other than a bottom line except in smaller companies that otherwise couldn’t afford a complete IT team.

    1. Jellied Eel Silver badge

      The buck stops elsewhere with outsourcing. Usually multiple airports.

      I’m sure the BA management will just use the incident as justification for its new IBM outsourcing deal. The problem they have now is different IT functions are outsourced to different providers, this potentially increases complexity and therefore the potential attack surface. The thing is as soon as you start to outsource bits and bobs your workforce assumes that they are next and recruitment becomes more difficult.

      Over the years I've dealt with BA with a variety of different hats on. And over the years, I've noticed when I meet their IT people, the department's shrunk and there are more empty desks.. Both in the UK, and Madrid. Which is a bit of a shame, but then the executive's ruthless cost cutting mantra translated into expecting suppliers to bid on complex solutions via an e-auction interface. That may work for bulk buying hand sanitiser, but rarely works well for services.

      Sad thing is the IT people knew this, and generally meant well. They knew how much their business (and potentially stranded passengers) depended on complex IT working just right, else chaos ensued. No doubt BA's execs will use this to justify going ahead with an outsourcing deal, and it's passengers and crews will be left to deal with the consequences.

  14. Alex Brett

    > An infosec expert with experience in the aviation industry told El Reg: "You don't outsource something that is working well."

    Has your expert ever met a beancounter, as that's precisely the sort of thing they do...

    1. BitEagle

      Indeed, that's the very thing that you're supposed to do, or else your outsource provider will screw you on additional paid-for services...

    2. Destroy All Monsters Silver badge

      Sadly in this case, it was obviously not working well.

    3. Anonymous Coward
      Anonymous Coward

      > > An infosec expert with experience in the aviation industry told El Reg: "You don't outsource something that is working well."

      Depends *where* you are in the aviation industry. For instance if you are an air navigation services provider you will be swimming in money and your employees, many of which will be related through family or friendship ties, will get paid well, do short weeks, and have plenty of training and development opportunities abroad.

      If on the other hand you are an airline or, God forbid, a ground services company you will be counting every penny and if you can legally buy something cheaper somewhere else, you will do so. There is an element of survival in it.

  15. Pascal Monett Silver badge

    "the board wanted to cut costs"

    Yes, and outsources has such a long, proven history of being less expensive, right ?

    After all, nobody ever got fired for buying IBM . . .

    1. Anonymous Coward
      Anonymous Coward

      Re: "the board wanted to cut costs"

      It used to be.

      The appropriate meme is rapidly becoming "nobody stays hired for buying IBM".

  16. Anonymous Coward
    Anonymous Coward

    So they already knew...

    ...their "security" was crap or fcuked?

  17. Anonymous Coward
    Anonymous Coward

    Security Operations

    Security Operations sits organisationally within the Operations tower but the work is carried out by a 3rd party. It has already been outsourced.

  18. Danny 2

    "You don't outsource something that is working well."

    Oh, I get a hernia if I laugh too much. Shouldn't, not don't.

  19. Moog42

    I hear the sound of lawyers sharpening knives.

    Never mind the ICO... legal firm SPG law are readying to represent the customers with a class action for non-material damage. They reckon c £1,250 a head, and their parent company already has form in eviscerating Yahoo, Wendy's etc...

  20. GruntyMcPugh Silver badge

    "proposal will mean a period of uncertainty."

    There's not much uncertainty,... staff will get the regulatory two years protection under TUPE, and during this time they will train their offshore replacements, then the vast majority will get made redundant at statutory minimum payments.

  21. Anonymous Coward
    Anonymous Coward

    "You don't outsource something that is working well."

    Not my experience. For instance, last year Lloyds Banking Group signed a ten year deal with... IBM.

    For no reason. Half the IT staff left rather than get TUPEd across.

    They'd been using certain software for decades to manage 35000 servers and it ran like clockwork. All of a sudden, all those servers had to be moved from Lloyds data centres to IBM data centres... because IBM.

    Then the IT guys had to get their heads round an entirely different software suite... because IBM.

    Those who had TUPEd across each got an IBM laptop in addition to their Lloyds one, so that's two timesheets to complete, two email accounts... because IBM.

    Because they were no longer Lloyds employees, they were considered contractors and had to reapply for access to every system every three months. And there was a cost centre for every one, and no doubt in the background invoices would fly back and forth.

    Management thought you could magically move the functionality from one flavour of software to another brand of software, and that two blokes could do it in a fortnight. They really thought there was a wizard that went Next Next Finish.

    Deadlines appeared, boxes were ticked although stuff hadn't been done.

    1. Kientha

      Re: "You don't outsource something that is working well."

      The "Let's mark it as done because it's the deadline and we don't get paid otherwise" is everywhere in the IT sphere at the moment and in my experience results in a massive headache further down the line after that person moves on and no one realises it hasn't been done until way too late. Then you get the confused senior managers going "But it's marked as done! Why are we spending money on it if it's done! No if it says it is done it must be done."

      1. GruntyMcPugh Silver badge

        Re: "You don't outsource something that is working well."

        @Kientha "Let's mark it as done"

        Saw this a lot, we had solid, common sense boarding procedures, to deliver finished, compliant solutions. Unless there was a deadline, then stuff just went live. Often teams designated as support would refuse so my team would do the dirty work, rectifying all the security non compliances, now on a live environment subject too change control,.... and once we got it green, the account would be lost to us, often we only got BAU rates for this.

  22. adam payne

    Asked to clarify, Cruz said it was BA's own systems that alerted it to problems rather than those of an external security researcher, bank or financial service provider. Cruz sidestepped several questions on how the criminals broke in.

    Contradict yourself much.

    First you say it was a partner that told you then it your own systems that told you. Sorry but i'm not sure I quite believe you.

  23. Anonymous Coward
    Anonymous Coward

    just *before*?

    Just weeks before being hacked in late August, British Airways' parent IAG was planning to outsource its cybersecurity to IBM,

    Seeing as they were outsourcing to *IBM*, I would have expected it to happen *afterwards*.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like