The Remedio Register

When Plaintext Passwords Cost Millions: Misconfig & Supply Chain Risks

Written by Eden Aizenkot | Aug 13, 2025 11:40:05 AM

In cybersecurity, the smallest missteps can lead to the biggest breaches. Take British Airways: a global airline worth over $17 billion, with robust systems and sophisticated infrastructure — brought down by one contractor, one login, and one forgotten file.

Gather round, ye disciples of digital defense, it's time for a cyber story! As is so often the case, this grim story starts on what was otherwise a sunny day back in June of 2018. On that fateful day, an attacker gained access to British Airways through compromised employee credentials of a third-party vendor — Swissport. The account had no multi-factor authentication (MFA), no conditional access, and no oversight.

That single access point opened the door to British Airways’ Citrix environment — intended to be a low-risk, sandboxed system. Once inside a server, the attacker found what should never exist: An admin password stored in plain text.

That password was the key. It allowed the attacker to:

  • Escalate privileges

  • Break out of the Citrix environment

  • Enter British Airways' internal network, where sensitive customer & payment data lived

From there, the fallout escalated quickly.

A Small Oversight With Massive Impact

British Airways had built a test tool for a new checkout system — one that logged payment data for debugging purposes. But it had never been deactivated.

So for nearly three years, that system quietly logged full credit card details — including CVVs — in plaintext files. No encryption. No anonymization. No alerts.

And nobody knew it was there.

The attacker copied what they could — over 100,000 payment records. Then, they took it a step further.

British Airways' website was still using a vulnerable JavaScript library from 2012. The attacker exploited it to inject malicious code directly into the live checkout flow.

Customers thought they were buying flights. In reality, their payment data was being siphoned off to a spoofed domain in real time.

The Cost of Carelessness: Misconfiguration Mayhem

This wasn’t just a technical failure. It was a visibility failure, a process failure — and above all, a misconfiguration failure.

The result?

  • Over 380,000 customers had personal and financial data stolen

  • £20 million fine issued by the UK's  Information Commissioner's Office (ICO)

  • The largest class-action lawsuit in UK data breach history

And all of it could have been prevented by baseline security hygiene.

Two Hard Lessons for Every Security Leader

1. Your supply chain is your attack surface

British Airways wasn’t breached directly. A third-party contractor with weak security controls was the entry point.

That’s the reality of today’s hybrid and cloud ecosystems: every vendor, every endpoint, every service you connect to your network becomes part of your security posture.

Without continuous visibility and enforcement, you’re trusting blindly.

What GYTPOL sees in the field confirms this daily: misconfigurations don’t stay isolated. They cascade through your environment, and often originate far from where the damage is ultimately done.

The remedy?

  • Continuously monitor external access
  • Enforce secure configurations across all users and vendors
  • Set strict policies and validate them regularly

2. Small gaps lead to massive breaches

Storing passwords in plain text. Skipping MFA. Running decadeS-old code. Leaving test tools live in production. Leaving defunct test environments intact and internet connected. Individually, these may seem minor. Together, they’re catastrophic.

This is why GYTPOL focuses on proactive hardening — because security isn’t about reacting quickly. It’s about building a posture where the breach doesn’t happen in the first place.

To do that, you'll need to possess certain key capabilities and abide by certain routine practices.

  • Harden endpoints based on benchmarks like CIS, NIST, and MITRE
  • Flag unsafe configurations in real time
  • Prevent changes that could break dependencies or disrupt operations
  • Roll back changes with one click, without downtime

Security As a Culture Rather Than a Checklist

If you're not enforcing your standards, you're assuming someone else will. But assumptions don’t hold up under attack.

The attackers today are fast, well-resourced, and creative. Your defenses must be proactive, intelligent, and always evolving.

At GYTPOL, we help organizations make hardening a  continuous process — not a periodic audit. Because in today’s landscape, the difference between resilience and regret often comes down to what you didn’t see and what you didn’t secure.

Every device, every configuration, every vendor matters. Start treating them that way — before someone else does.

FAQ

What is a supply chain attack in cybersecurity?
A supply chain attack occurs when attackers compromise a trusted third party, such as a software vendor, service provider, contractor, or technology partner, to gain access to another organization's environment. Rather than attacking the target directly, adversaries exploit weaknesses elsewhere in the trust chain, making strong vendor security and configuration management essential.
Why are plaintext passwords so dangerous?
Plaintext passwords are stored exactly as entered, without encryption or hashing. If attackers gain access to a system, they can immediately read and use those credentials to escalate privileges, move laterally, or access additional systems. Proper credential storage should always rely on strong cryptographic hashing with modern salting techniques.
How do misconfigurations contribute to supply chain breaches?
Misconfigurations often create the conditions that allow supply chain attacks to succeed. Examples include disabled multi-factor authentication (MFA), excessive privileges, exposed credentials, insecure test environments, outdated software, and overly permissive access controls. Attackers typically exploit these weaknesses after compromising a trusted vendor or account.
Can a small configuration mistake really lead to a major breach?
Yes. Many large breaches begin with seemingly minor oversights that individually appear low risk. A single exposed credential, forgotten debug setting, or unnecessary administrative permission can provide attackers with the foothold needed to compromise sensitive systems. Security incidents often result from multiple small weaknesses combining rather than one catastrophic failure.
How can organizations reduce supply chain cyber risk?
Organizations should continuously assess both internal and third party security posture. This includes enforcing secure configurations, requiring multi-factor authentication, validating vendor access, monitoring for configuration drift, applying least privilege, and regularly reviewing supplier security practices. Continuous validation is far more effective than periodic assessments alone.
Why is continuous configuration monitoring important?
Enterprise environments change constantly as systems are updated, applications are deployed, and users gain or lose access. Continuous monitoring detects insecure changes as they occur, allowing organizations to remediate exposure before attackers can exploit it. Point-in-time audits cannot identify risks introduced between assessment cycles.
What role does configuration management play in preventing breaches?
Configuration management establishes secure baselines and ensures systems remain compliant over time. By automatically identifying and correcting configuration drift, organizations reduce the likelihood that temporary exceptions, manual changes, or operational shortcuts become long-term security vulnerabilities.
Is vendor risk management only about evaluating suppliers before onboarding?
No. Vendor risk management should be an ongoing process. Organizations should continuously verify that third parties maintain appropriate security controls, review privileged access regularly, monitor for changes in vendor security posture, and reassess risk whenever new services, integrations, or business relationships are introduced.