Did British Airways accidentally break its own security?
A PhD student from the Information Security Research Group of the Department of Computer Science at University College London, he knows more about internet security than your Average Joe.
Mustafa's been raising the alarm about BA's security for months. In July, he was attempting to check in online for his flight when he kept hitting a roadblock that wouldn't allow him to complete the process. Eventually, he figured out why.
BA only lets you check in online after you disable your ad blocker, "so that they can leak your booking details to tons of third-party advertisers and trackers, including Twitter, LinkedIn and Google DoubleClick", he tweeted at the time. All those ads you see for the destination you've just booked a flight to? Well, this is one of the many ways they're generated.
Mustafa complained to BA's Twitter handlers, who came back with the least useful piece of advice since Jackie Kennedy said "it's a lovely day, let's take the convertible for the trip to Dallas". Check in at the airport, BA's Twitter team told Mustafa, or clear your history and cookies. As Mustafa pointed out to them: "That's not how it works - third parties will already have my details, even after clearing history."
(By the way this is by no means the worst of the technical howlers committed by BA on social media. As Mustafa himself has highlighted, BA's Twitter account routinely asks customers to send them details such as passport number and expiry date, the last four digits of their payment card, billing address, post code and email address, so that they can investigate tweeted complaints. What the BA account often fails to add is that those details should be sent via DM, not in public replies. Thus you'll find customers compromising their own security by posting public replies to BA with all this sensitive information included. BA is the master of inadvertently phishing its own customers!)
Anyway, back to the story. Mustafa wasn't chuffed with BA's response, so he decided to complain to the Information Commissioner. It's a breach of GDPR to pass his flight details to third-party advertisers without his express permission, Mustafa argued in his letter. The Data Protection Act gives a company a month to sort out any complaint before the Commissioner gets his hands dirty, so Mustafa sent his letter to BA and twiddled his thumbs for a month.
On the 20 August - 30 days later - Mustafa received a reply. It dismissed his claims that the check-in site didn't work with ad blockers and argued that by accepting the terms and conditions of its website, Mustafa had agreed to the processing of his data.
The letter made no admission of guilt or error on BA's behalf, but sometimes actions speak louder than carefully worded legal responses from BA's data protection officer, the marvellously named Jonathan Stiff. Because when Mustafa went back to check if BA was still using the offending advertising scripts on its website, they had mysteriously disappeared.
Fast forward a couple of weeks and Mr Stiff now needs a stiff drink. BA has put its hands up to an enormous data breach, where hackers somehow managed to get hold of almost 400,000 transactions, including everything right down to the three-digit security (CVV) code on the back of the card.
It's unlikely hackers would be able to fish such information out of BA's database, and BA's statement suggests it wasn't a database hack. The stolen details were taken during a very precise window: between 10.58pm on 21 August and 9.45pm on 5 September. As the CVV numbers were stolen, it suggests there was a rogue script running on the site.
"They [BA] changed their website to quietly remove the tracking scripts that were leaking booking reference information, although they didn't mention they did that in their response to me," Mustafa told after the hack was exposed. "The day after they replied to the complaint, they got hacked."
In its haste to remove potentially GDPR-breaching scripts from its website, is it possible that BA introduced a compromised script that was responsible for the attack? By rushing to fix one problem, had the company accidentally created a much bigger one?
Latest Jobs
-
- Identity and Access Management Consultant (Saviynt & Microsoft Entra) | UK
- United Kingdom
- N/A
-
Role summary Technical IAM consultant delivering identity governance and cloud identity solutions to enterprise clients. What you will do Implement / Configure / Deploy Saviynt IGA / Microsoft Entra solutions: Lead technical workshops, gather requirements and translate into solution designs. Troubleshoot complex issues, support testing and deployments. Produce technical artefacts and configuration guides. Key skills Hands-on Saviynt IGA experience (workflow, connectors, access governance). Strong practical knowledge of Microsoft Entra ID / Azure AD identity and access controls. Understanding of identity protocols (SAML, OAuth, OpenID Connect) and hybrid identity. Experience with APIs / REST for integrations and automation. What we are looking for Proven delivery experience in IAM / IGA projects, preferably in consulting. Confident communicator with client-facing delivery exposure.
-
- Cyber Security Technical Presales Consultant | UK | Managed Services SOC / Pentesting etc
- England
- N/A
-
Experienced Technical Pre Sales Cybersecurity Consultant to support organisations across the UK. This role focuses on delivering advisory, high level solution design, and security uplift services that improve security outcomes, address operational challenges, and enable informed technology decisions within complex and regulated environments. The position blends technical pre sales expertise with a consultative approach, working closely with technical, operational, and commercial stakeholders to shape effective and scalable cybersecurity solutions such as Managed Services SOC / Pentesting etc The individual must be able to achieve UK Security Clearance. Key Responsibilities Provide technical pre sales support across cybersecurity solutions and services for organisations operating across multiple industry sectors Engage stakeholders to understand security challenges, risks, compliance requirements, and operational pain points Deliver advisory guidance and recommendations to strengthen security posture and organisational resilience Translate customer requirements into clear, outcome focused technical and commercial solution designs Act as a trusted technical advisor throughout the sales and early delivery lifecycle Produce clear technical documentation, recommendations, and customer facing materials suitable for regulated environments Collaborate closely with sales, delivery, and technical teams to align solutions with customer needs Experience and Skills Proven experience in technical pre sales or cybersecurity consultancy Experience working across multiple industries, ideally within regulated or complex environments Broad knowledge of cybersecurity technologies, managed services, and risk based approaches Strong communication skills with the ability to engage both technical and non technical stakeholders Confident operating in a client facing, consultative role UK based role with remote working Occasional travel for customer engagement as required
-
- Cyber Security Technical Presales Consultant | UK | Managed Services SOC / Pentesting etc
- England
- N/A
-
Experienced Technical Pre Sales Cybersecurity Consultant to support organisations across the UK. This role focuses on delivering advisory, high level solution design, and security uplift services that improve security outcomes, address operational challenges, and enable informed technology decisions within complex and regulated environments. The position blends technical pre sales expertise with a consultative approach, working closely with technical, operational, and commercial stakeholders to shape effective and scalable cybersecurity solutions such as Managed Services SOC / Pentesting etc The individual must be able to achieve UK Security Clearance. Key Responsibilities Provide technical pre sales support across cybersecurity solutions and services for organisations operating across multiple industry sectors Engage stakeholders to understand security challenges, risks, compliance requirements, and operational pain points Deliver advisory guidance and recommendations to strengthen security posture and organisational resilience Translate customer requirements into clear, outcome focused technical and commercial solution designs Act as a trusted technical advisor throughout the sales and early delivery lifecycle Produce clear technical documentation, recommendations, and customer facing materials suitable for regulated environments Collaborate closely with sales, delivery, and technical teams to align solutions with customer needs Experience and Skills Proven experience in technical pre sales or cybersecurity consultancy Experience working across multiple industries, ideally within regulated or complex environments Broad knowledge of cybersecurity technologies, managed services, and risk based approaches Strong communication skills with the ability to engage both technical and non technical stakeholders Confident operating in a client facing, consultative role UK based role with remote working Occasional travel for customer engagement as required
-
- New Business Sales lead | UK - Cyber Security | New Logo sales
- United Kingdom
- Uncapped OTE
-
New Business Sales lead | UK - Cyber Security | New Logo sales UK Remote An established EMEA technology organisation is hiring a senior New Business Sales lead to take ownership of UK growth. An opportunity built for someone ready to take advantage of competitors who have taken their eye off the ball and turn that into sustained market share. This role is for someone proven. A self-starter who does not need micromanagement, knows how to win market share, and wants the backing of a larger business while building success their own way. You will lead and shape new logo acquisition, define and execute go-to-market strategy with regional leadership, and drive growth across cybersecurity, digital transformation, Microsoft modernisation etc. This is a new business sales role, with budget and full sales lifecycle responsibility. The goal being to build a wider a sales function beneath you as revenue scales. Experience across Financial services, manufacturing, industrial etc helpful. UK-based, remote-first, client-facing when needed. Competitive base salary with uncapped earnings.