Last week, British Airways acknowledged that its website had been hacked – leading to 380,000 customers‘ data being compromised. It seems like it wasn’t too difficult either: Cybersecurity firm RiskIQ has found out that it took hackers just 22 lines of code to get a hold of the data.
RiskIQ speculated that a group called Magecart is behind this attack; it was responsible for the TicketMaster UK hack earlier this year, which affected the data of 400,000 customers. Magecart has traditionally stolen data by injecting a malicious script into payment forms.
“The Magecart actors have been active since 2015 and have never retreated from their chosen criminal activity. Instead, they have continually refined their tactics and targets to maximize the return on their efforts,” RiskIQ said.
The hackers modified a Modernizr javascript version 2.6.2 ( a library used to detect certain user actions like clicks and taps) – on BA’s site to steal the data between August 21 and September 5. RiskIQ found that the script had been modified on August 21 just before the data breach began.
The modified code – where just 22 lines were changed – sent the information to the hackers’ servers as soon as someone hit the ‘Submit’ button on the payments form. The script was able to capture BA customers’ names, addresses, phone numbers and details through its site and mobile app.
RiskIQ advised affected customers to contact their banks and get a new card. Some of the banks have been actively approaching the victims as well.
Last night, we contacted 1,300 customers affected by the British Airways data breach and ordered them new cards as a precaution to protect them from fraud.https://t.co/jwmBUagJIv
— Monzo (@monzo) September 7, 2018
Law enforcement agencies in the UK, including the National Crime Agency and the National Cyber Security Centre, are still investigating the breach.
Meanwhile, a law firm called SPG Law is considering suing BA for £500 million. It has even set up a dedicated website, so that the affected customers can make a claim. We have reached out to BA for a statement.
How could @British_Airways have prevented the attacks? It most likely couldn't, a good web-app 0day would have landed someone on the box, the issue here is that they were not observing file changes on production servers. This should have and could have been detected.
— Hacker Fantastic (@hackerfantastic) September 11, 2018
These findings highlight the trouble with lax security practices among companies handling vast amounts of user data. BA’s IT team should have spotted the change to its code on its production server, as it’s a crucial user-facing part of its systems. It’s worrying that the hackers were able to pull this off without being detected, and without having to break into BA’s database to grab customers’ details. And as we have seen in the past, its IT system has been a pain point for customers many times before. The company needs to get its house in order if it’s serious about keeping passengers safe.
Get the TNW newsletter
Get the most important tech news in your inbox each week.