When Plaintext Passwords Cost Millions: Misconfig & Supply Chain Risks

In cybersecurity, the smallest missteps can lead to the biggest breaches. Take British Airways: a global airline worth over $17 billion, with robust systems and sophisticated infrastructure — brought down by one contractor, one login, and one forgotten file.

Gather round, ye disciples of digital defense, it's time for a cyber story! As is so often the case, this grim story starts on what was otherwise a sunny day back in June of 2018. On that fateful day, an attacker gained access to British Airways through compromised employee credentials of a third-party vendor — Swissport. The account had no multi-factor authentication (MFA), no conditional access, and no oversight.

That single access point opened the door to British Airways’ Citrix environment — intended to be a low-risk, sandboxed system. Once inside a server, the attacker found what should never exist: An admin password stored in plain text.

That password was the key. It allowed the attacker to:

• Escalate privileges

• Break out of the Citrix environment

• Enter British Airways' internal network, where sensitive customer & payment data lived

From there, the fallout escalated quickly.

A Small Oversight With Massive Impact

British Airways had built a test tool for a new checkout system — one that logged payment data for debugging purposes. But it had never been deactivated.

So for nearly three years, that system quietly logged full credit card details — including CVVs — in plaintext files. No encryption. No anonymization. No alerts.

And nobody knew it was there.

The attacker copied what they could — over 100,000 payment records. Then, they took it a step further.

British Airways' website was still using a vulnerable JavaScript library from 2012. The attacker exploited it to inject malicious code directly into the live checkout flow.

Customers thought they were buying flights. In reality, their payment data was being siphoned off to a spoofed domain in real time.

The Cost of Carelessness: Misconfiguration Mayhem

This wasn’t just a technical failure. It was a visibility failure, a process failure — and above all, a misconfiguration failure.

The result?

• Over 380,000 customers had personal and financial data stolen

• £20 million fine issued by the UK's  Information Commissioner's Office (ICO)

• The largest class-action lawsuit in UK data breach history

And all of it could have been prevented by baseline security hygiene.

Two Hard Lessons for Every Security Leader

1. Your supply chain is your attack surface

British Airways wasn’t breached directly. A third-party contractor with weak security controls was the entry point.

That’s the reality of today’s hybrid and cloud ecosystems: every vendor, every endpoint, every service you connect to your network becomes part of your security posture.

Without continuous visibility and enforcement, you’re trusting blindly.

What GYTPOL sees in the field confirms this daily: misconfigurations don’t stay isolated. They cascade through your environment, and often originate far from where the damage is ultimately done.

The remedy?

• Continuously monitor external access
• Enforce secure configurations across all users and vendors
• Set strict policies and validate them regularly

2. Small gaps lead to massive breaches

Storing passwords in plain text. Skipping MFA. Running decadeS-old code. Leaving test tools live in production. Leaving defunct test environments intact and internet connected. Individually, these may seem minor. Together, they’re catastrophic.

This is why GYTPOL focuses on proactive hardening — because security isn’t about reacting quickly. It’s about building a posture where the breach doesn’t happen in the first place.

To do that, you'll need to possess certain key capabilities and abide by certain routine practices.

• Harden endpoints based on benchmarks like CIS, NIST, and MITRE
• Flag unsafe configurations in real time
• Prevent changes that could break dependencies or disrupt operations
• Roll back changes with one click, without downtime

Security As a Culture Rather Than a Checklist

If you're not enforcing your standards, you're assuming someone else will. But assumptions don’t hold up under attack.

The attackers today are fast, well-resourced, and creative. Your defenses must be proactive, intelligent, and always evolving.

At GYTPOL, we help organizations make hardening a  continuous process — not a periodic audit. Because in today’s landscape, the difference between resilience and regret often comes down to what you didn’t see and what you didn’t secure.

Every device, every configuration, every vendor matters. Start treating them that way — before someone else does.