The recent British Airways data breach was caused by a malicious script injected into the company’s website, cybersecurity firm RiskIQ has found.
Analysis of code from BA’s website around the time when the breach is thought to have occurred shows evidence of a script designed to steal financial data entered into BA’s online payment forms.
The airline has admitted that the data of more than 380,000 customers was stolen as the breach went undetected for 16 days.
But who was behind the latest attack on a mainline airline, following attacks on Air Canada and Delta Air Lines earlier this year?
Magecart: The main suspect
RiskIQ has settled on the conclusion that Magecart, a cybercriminal group that has been operating since 2015, was behind the hack. The group has been linked with attacks on over 7,000 online stores in the last three years.
According to RiskIQ, the latest breach can be linked to the group due to the similarities between the code placed on the BA site and the code used to steal the payment data of tens of thousands of Ticketmaster customers earlier this year, another attack thought to have been carried out by Magecart.
The code is designed to steal payment card information entered into checkout pages, as well as sensitive information such as credit card numbers, names and addresses. However, on this occasion the script’s appearance had been altered in order to make it blend in on the BA site.
Announcing the discovery, RiskIQ researchers said:
“This particular skimmer is very much attuned to how British Airways’ payment page is set up, which tells us that the attackers carefully considered how to target this site,”
This certainly seems to suggest that the breach is the work of a more organised group, given that the breach went undetected for so long.
David Atkinson, Founder of Senseon, said:
“When it comes to criminal groups, it’s all about the money. They have the skills, resources and time to take attacks to the next level being very careful about their operations.”
What does this mean for those affected?
Having your data stolen is concerning at the best of times. However, the type of data that was potentially compromised in the BA breach is particularly worrying.
It’s still too early to know how much damage the breach has or will cause. However, if an organised group like Magecart is behind it, then it is highly likely that this data will be used to maliciously target BA customers in the future.
“If an organised criminal group has compromised British Airways they will be using planned and proven methods to start turning the stolen information into money. Normally this is done through an established network of specialists at each stage of the cash out process involving carding gangs and money mules.”
According to Bill Conner, CEO of cybersecurity specialist SonicWall, personal information that doesn’t change frequently, such as credit card numbers, drive a high price on the Dark Web.