Some Sources that are potentially useful.

GA Review

This review istranscluded fromTalk:British Airways data breach/GA1. The edit link for this section can be used to add comments to the review.

Nominator:Joereddington (talk ·contribs)13:44, 26 November 2024 (UTC)[reply]

Reviewer:RoySmith (talk·contribs)23:59, 14 December 2024 (UTC)[reply]

Before I dig into the review proper, my initial impression is that this is way too short. I know we don't have any specific length requirements, but looking at the two most similar GAs (2022 Optus data breach andYahoo data breaches), both of those are about 2000 words. Ignoring the large block quote (which itself is about 25% of the text), this is about a third of that. Looking atWP:GACR6 3a ("it addresses the main aspects of the topic") and comparing the depth of coverage here to the depth of coverage in those other articles, I'm unsure if this meets the requirement.@Schierbecker andVaticidalprophet: you were the reviewers of those other articles, so I'd be interested to hear your impression of this one before I go any further.RoySmith(talk)23:59, 14 December 2024 (UTC)[reply]

It's a very valid point, and it was always going to be a concern. Helpfully I (re)wrote the Yahoo Data breaches article so I familiar with it. There is a tension with all of the date breach articles between the established facts and a tendency to report speculation and rent-a-quotes as facts. The BA data breach article is certainly deliberately lean, and I, if necessary, would expand the issues with the Modenizr script, and maybe bring in some of the more sober contemporaneous quotes, but I wanted to take it through GA in its most defensible form.

(I would also mention: my understanding is that the author of the excellent Optus article intends to take it forward to FA; I do not have such aspirations for the BA breach)

I am, of course, a humble servant of the process so I am happy to be advised on revisions. :)Joe (talk)07:49, 15 December 2024 (UTC)[reply]

• There's a lot of acroynms (CVV, GDPR, ICO, BA) which should be defined the first time they're used and/or linked to appropriate articles about them.
• You should explain what "escalated their account privileges" means. Sophisticated readers will know what it means, butWP:TECHNICAL applies.
• data that British Airways was improperly recording what does "improperly recording" mean in this context? Were they recording data that they should not have recorded at all, or were they just not protecting it properly?
• redirected users of British Airways website to a bogus site is "redirected" being used here in thetechnical HTTP sense, or in the more generic sense of telling their users to go there?
• users of British Airways website missing "the" before British Airways?
• an attacker gained access to British Airways Network why is Network capitalized?
• by means of compromised credentials a non-technical reader will not know what a "compromised credential" is.
• The compromised account did not have multi-factor authentication enabled. Again, WP:TECHNICAL. Most people won't have a clue what MFA is or why it's significant. You don't have to go into great detail, but some kind of "why should I care?" explanation is needed.
• The attacker was initially restricted to a Citrix environment More of the same. I know what Citrix is, but most readers won't, so they won't understand why this is significant. Likewise, they won't understand what it means that the attacker "broke out of the environment"
• administrator password stored in plaintext andthe attacker found plain text files. I know that you mean "not encrypted", but a non-technical reader won't know this. For most people, "plain text" means (quoting my wife, who is more technical than most and whom I just asked as a test) "not formatted, doesn't have any funny **** in it").

OK, I'm going to stop here. Looking over the rest of the article, there's more of the same. I'm afraid I'm going to have to quick-fail this for being "a long way from meeting" the requirement to be "understandable to an appropriately broad audience". My general recommendation is that every time you talk about some bit of technology (i.e. a javascript library), give the reader some idea of what it is, why what BA was doing with it was problematic, and how this contributed to the data breach. I totally agree with you that pulling in a large collection of silly quotes is not useful, so don't do that. That's not what I was referring to when I said this didn't go into enough depth.RoySmith(talk)16:59, 16 December 2024 (UTC)[reply]