The airline has published a new statement about the security incident
Experts in ethical hacking reported last 6 September that British Airways had suffered a security breach that led to data theft of about 380,000 of its customers, including banking and personal data. In recent days, British Airways placed an article on its website explaining details of the incident, although the technical specifications were scarce, the statement reported that:
- Payments through your main website were affected
- Payments through your mobile application were affected
- This occurred between 22:58 August 21, 2018 until 21:45 on September 5, 2018
The report also clearly stated that the information was stolen from British Airways’ website and mobile app, but did not mention any other security breaches, such as database or server attacks, anything that would indicate that the breach affected more than the payment information entered on the website. Given the nature of the case, some experts in ethical hacking already have a prime suspect, the group of hackers known as Magecart.
Magecart, a known rival
Since 2015, web-based paying card frauds have been reported operated by the hacking group Magecart. Traditionally, criminals use devices known as card skimmers – devices hidden within credit card readers in ATMs, fuel pumps and other devices – to steal credit card data. Magecart uses a variety of digital devices.
Magecart injects scripts designed to steal confidential data that consumers enter into online payment forms on e-commerce websites directly or through affected third-party vendors used by these sites. Recently, Magecart’s operatives placed one of these digital skimmers on Ticketmaster websites, through a committed third-party service.
The first step in linking this group of hackers with the attack on British Airways consisted of reviewing previous Magecart detections. Finding instances of Magecart is so common for any cybersecurity firm that anyone could get at least one hourly alert of sites at risk for skimming code infection.
As believed after the first investigations of the case, Magecart created a customized infrastructure to adapt to the website and mobile app of British Airways specifically and avoid detection for as long as possible. Although it is not possible to know how much information the attackers accessed on the British Airways servers, the fact that they were able to modify a resource for the site, by simply using a 22 lines script, suggests that the access was substantial. This is a clear reminder of how vulnerable the assets stored in the network are.
Experts in ethical hacking from the International Institute of Cyber Security have warned on several occasions about Magecart attacks since its detection in 2015, mentioning that although the Magecart attack on British Airways was not an attack of an external vendor such as the attack to Ticketmaster, does commit the information of the payment data of the users. Companies, especially those that collect confidential financial data, must realize that they must consider the security of their forms, but also the controls that influence what happens with the payment information once the customer sends it.