British Airways said Thursday that the personal and financial details of customers making bookings between August 21 2018 and September 5 2018 were stolen in a data breach involving 380,000 bank cards. a clasic hacking report.

And then in other news, personal details of two million people were exposed online via a data breach by a controversial tracking app that allows parents to spy on their children. The app, named mSpy, gives users complete access to another person's smartphone, allowing them to see everything from their texts and Facebook messages to their location and browsing history.

Data breach and hacking is affecting companies large and small. And these are the ones that grab headlines.

What do the companies do in these cases?

BA said "We are investigating, as a matter of urgency, the theft of customer data from our website and our mobile app. The stolen data did not include travel or passport details," the airline said in a statement. Around 380,000 payment cards were compromised.

A mSpy app spokesperson said: “First of all, we would like to thank Nitish Shah who has contacted our support team about the problem, providing all the details, and to confirm that very unfortunately his initial request was not addressed.” They added “The support trainee who was checking the tickets that day has marked an email as spam and it never reached anyone else.” Additionally they said “We confirm that on the same day we have been contacted by Brian Krebs (all the emails go initially through support team) to “get the breach cleaned out”. The email was assigned to the head of Support department who was on vacation (pure coincidence) and responded to it on the next day.

So, you can see the issue – two very different companies and two very different responses. The companies, especially small ones cannot be relied upon to deal with these issues. The data, your data, is exposed to risk every time you allow ANY third party to host and use it.

In the case of BA, The National Crime Agency is also involved and they said: "We are aware of reports of a data breach affecting British Airways and are working with partners to assess the best course of action."

The NCA is set up to tackle the most serious and organised crime posing the highest risk to public security in Britain. But I doubt that they are doing anything on the mSpy App – this data could be far more invasive and sensitive.

For smaller companies it’s the security community we have to thank for exposing breaches and making them upgrade security. Nitish Shahm, an independent security researcher, discovered an exposed database online supposedly belonging to mSpy that contained details of two million users of the app, according to KrebsOnSecurity, a cybersecurity blog.

The details included usernames, passwords, call logs, texts, Facebook messages, notes and location data. Anyone with access to the internet could access the files. Mr Shah found that the database had files for every mSpy customer who logged into the site or purchased an mSpy license over the past six months. The database has now been taken down. However, Mr Shah said the company - which has offices in the UK, US and Germany - initially ignored his security concerns.

The advice for you and me is the same check your bank statements regularly, change passwords often, use strong passwords only, use Apps and Systems that you believe are credible, limit the data you put online.

Stories published AFP World News and Daily Telegraph (UK)

Posted in Cyber Insurance blog on Sep 07, 2018