Code used to hack BA passenger data discovered
A cyber security firm has found the script used to steal the airline's customer data
Last week, the airline revealed it had been the subject of a data breach thought to have affected around 380,000 customers over a two-week period back between late August and early September. The stolen information included personal and payment information taken from BA's website and mobile app.
Looking into the breach, cyber security firm RiskIQ has claimed that a fraudulent group called Magecart could be behind it, citing its involvement with the recent breach to Ticketmaster as an example of its modus operandi.
"Magecart injects scripts designed to steal sensitive data that consumers enter into online payment forms on e-commerce websites directly or through compromised third-party suppliers used by these sites," said RiskIQ threat researcher Yonathan Klijnsma.
"Recently, Magecart operatives placed one of these digital skimmers on Ticketmaster websites through the compromise of a third-party functionality resulting in a high-profile breach of Ticketmaster customer data. Based on recent evidence, Magecart has now set their sights on British Airways, the largest airline in the UK."
A technique called skimming was used in both breaches. Skimmers are traditionally used by criminals on credit cards in the form of devices hidden within credit card readers on ATMs, fuel pumps, and other machines people use for day-to-day purchases that steal payment data for a criminal to either use or sell to a third party.
According to RiskIQ, mouseup' and touchend', are events for when someone lets go of the mouse after clicking on a button or when someone using a touchscreen device lets go of the screen after pushing a button. This means that once a user hits the button to submit their payment on the compromised British Airways site, the information from the payment form can be extracted and sent to the attacker's server.
This particular type of skimmer is very much attuned to how BA's payment page is set up, according to RiskIQ, which suggests the hackers had carefully considered how to target the airline instead of blindly injecting a regular Magecart skimmer.
Preparing for long-term remote working after COVID-19
Learn how to safely and securely enable your remote workforceDownload now
Cloud vs on-premise storage: What’s right for you?
Key considerations driving document storage decisions for businessesDownload now
Staying ahead of the game in the world of data
Create successful marketing campaigns by understanding your customers betterDownload now
Solutions that facilitate work at full speedDownload now