The recent British Airways data breach was caused by a malicious script injected into the company’s website, cybersecurity firm RiskIQ has found.

Analysis of code from BA’s website around the time when the breach is thought to have occurred shows evidence of a script designed to steal financial data entered into BA’s online payment forms.

Related Company Profiles

View all

The airline has admitted that the data of more than 380,000 customers was stolen as the breach went undetected for 16 days.

But who was behind the latest attack on a mainline airline, following attacks on Air Canada and Delta Air Lines earlier this year?

Magecart: The main suspect

RiskIQ has settled on the conclusion that Magecart, a cybercriminal group that has been operating since 2015, was behind the hack. The group has been linked with attacks on over 7,000 online stores in the last three years.

According to RiskIQ, the latest breach can be linked to the group due to the similarities between the code placed on the BA site and the code used to steal the payment data of tens of thousands of Ticketmaster customers earlier this year, another attack thought to have been carried out by Magecart.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

The code is designed to steal payment card information entered into checkout pages, as well as sensitive information such as credit card numbers, names and addresses. However, on this occasion the script’s appearance had been altered in order to make it blend in on the BA site.

Announcing the discovery, RiskIQ researchers said:

“This particular skimmer is very much attuned to how British Airways’ payment page is set up, which tells us that the attackers carefully considered how to target this site,”

This certainly seems to suggest that the breach is the work of a more organised group, given that the breach went undetected for so long.

David Atkinson, Founder of Senseon, said:

“When it comes to criminal groups, it’s all about the money. They have the skills, resources and time to take attacks to the next level being very careful about their operations.”

What does this mean for those affected?

Having your data stolen is concerning at the best of times. However, the type of data that was potentially compromised in the BA breach is particularly worrying.

It’s still too early to know how much damage the breach has or will cause. However, if an organised group like Magecart is behind it, then it is highly likely that this data will be used to maliciously target BA customers in the future.

Atkinson said:

“If an organised criminal group has compromised British Airways they will be using planned and proven methods to start turning the stolen information into money. Normally this is done through an established network of specialists at each stage of the cash out process involving carding gangs and money mules.”

According to Bill Conner, CEO of cybersecurity specialist SonicWall, personal information that doesn’t change frequently, such as credit card numbers, drive a high price on the Dark Web.