Another Mobile App Assisted Breach… This Time It Is British Airways

Share and earn Cybytes
Facebook Twitter LinkedIn Email

In a tweet on September 6th, British Airways announced that it was “investigating the theft of customer data from our website and our mobile app” (emphasis added). This is just another example of a breach that has been at least partially enabled by mobile apps.

According to reports, information was exposed (including names, email addresses and credit card details including card numbers, expiry dates and three-digit CVV codes) from as many as 380,000 payment cards. This may have been the made possible by either British Airways or a third-party processor. Under the new GDPR rules, British Airways may be facing large fines over the breach. Some headlines have placed the potential fines as large as £500 million.

As the global leader in enterprise mobile security, Zimperium is not only concerned about protecting employees’ devices (whether corporate-owned or BYO), but also about protecting customer and employee mobile app sessions (the period of time within which a user interacts with an app), user credentials, sensitive data inside the mobile app, and access to critical backend systems against threats like those that experienced by British Airways.

For example, every month at one of the world’s largest banks, Zimperium’s zIAP (our software development kit (SDK) that embeds our z9 detection inside any mobile app to help that app detect device, network and malicious app attacks) protects a half billion sessions and provides the bank with visibility to prevent potential fraud in exposed accounts, protecting over a billion dollars for customers.

Leading companies like British Airways have secured as much of the mobile app value/transaction chain as possible, but they have not been able to account for the most dangerous link: consumers’ devices and the WiFi networks that they attach to.

They have secured the backend servers, encrypted network traffic, conducted pen/vulnerability tests and hardened their app via app shielding. But what about the devices their app is sitting on? What about the WiFi networks that are increasingly less secure? That is where zIAP comes in.

For example, a common banking trojan called BankBot pops on top of the user’s legitimate banking app to steal credentials, and with the mobile phone being used as a second factor authentication, can place transactions either via directly mobile or on the web without the bank realizing that the transaction is fraud.  Or when in another example the hackers used the app’s access to backend systems to inject their own transactions in the system. Or even worse, when mobiles are used to steal sensitive email attachments and access cloud or internal document repositories. What a mobile can access, a hacker can access once they compromise a device.

If you would like to learn more about the British Airways breach, especially if you are a customer, you can access information here.

If you would like to learn more about using zIAP to help prevent breaches like this one, please contact us here.


The post Another Mobile App Assisted Breach… This Time It Is British Airways appeared first on Zimperium Mobile Security Blog.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Zimperium
Zimperium, the industry leader in Mobile Threat Defense, offers real-time, on-device protection against both known and previously unknown threats, enabling detection and remediation of attacks on all three mobile threat vectors - Device, Network and Applications. Zimperium’s patented z9™ detection engine uses machine learning to power zIPS™, mobile on-device Intrusion Prevention System app, and zIAP™, an embedded, In-App Protection SDK that delivers self-protecting iOS and Android apps. Leaders across the mobile ecosystem partner with Zimperium, including mobile operators (Airtel, Deutsche Telekom, SmarTone, SoftBank and Telstra), device manufacturers (Samsung, SIRIN, TriGem), and leading enterprise mobility management (EMM) providers (AirWatch, MobileIron, BlackBerry, Citrix and SAP). Headquartered in San Francisco, Zimperium is backed by Sierra Ventures, Samsung, Telstra, Warburg Pincus and SoftBank. Learn more at or our official blog at

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?