Second attack against British Airways is disclosed

Payment card information of more than 180k people could have been stolen

Details on a second cyberattack incident against British Airways airline have been recently disclosed. According to experts in digital forensics, victims’ payment card information would have been obtained through a compromised website that would have gone unnoticed for months.

British Airways would discover the security breach while investigating the data theft of its website that was raised last September, an event that affected about 380k transactions of the company.

International Airlines Group, the owner of British Airways, has reported that both attacks have apparently been deployed by the same group of hackers. The company added that it would contact customers over the next few weeks to inform them of the situation in which their information is found.

Financial impact

Information on the security breach was revealed in a stock exchange announcement by International Airlines Group. The company said that the previous attack took place between April 21 and July 28. The incident only affected customers who made reservations using the rewards of the British Airways loyalty program.

International Airlines Group mentions that those affected by security violations can be classified into two different groups:

  • 77k people suffered the theft of data such as name, address, email address and detailed payment information
  • 108k people lost their personal data and, in addition, the security code of their payment cards was extracted

Few additional details about this theft have been revealed so far.

According to experts in digital forensics, in early September British Airways reported that its website and its application had been compromised between August 21 and September 5. About 380k people were involved in this incident, including payment card details used by 244k affected users.

“Since the announcement published in September, British Airways can confirm that there have been no verified cases of fraud”, the company said in a statement.

The September attack prompted an investigation by the United Kingdom’s National Crime Agency and the Office of the Commissioner of Information.

British Airways and International Airlines Group could face huge penalties as the violation occurred after strict European privacy and data standards, known as the General Data Protection Regulations (GDPR), came into force.

According to experts in digital forensics from the International Institute of Cyber Security, the group behind these attacks could be the hacker organization known as Magecart, which would have created a customized infrastructure to adapt to the site British Airways website and mobile app specifically and avoid detection for as long as possible. Although it is not possible to know how much information the attackers accessed on the British Airways servers, the fact that they were able to modify a resource for the website using only 22 lines of code, suggests that the access was substantial. This is a clear reminder of how vulnerable the assets stored in the network are.