British Airways disclosed on Sept. 7 that it was the victim of a data breach that exposed details on 380,000 customers. The breach involved data from British Airways’ mobile application and website at ba.com. The airline noted in its advisory that stolen data did not include customers’ passport information or travel details. However, hackers stole names, addresses and payment card details of customers who used the British Airways website or mobile app between Aug. 21 and Sept. 5. To its credit BA respond promptly and apologized.
“We are investigating, as a matter of urgency, the theft of customer data from our website and our mobile app, The airline has guaranteed that financial losses suffered by customers directly because of the theft of this data from British Airways will be reimbursed, and is recommending that customers contact their bank or card provider if they made a booking or change to their booking between 22:58 BST August 21 2018 and 21:45 BST September 5 2018.” British Airways wrote in an advisory post.
The British Airways breach is the second in as many weeks that has involved a major international airline. On Aug. 29, Air Canada reported that its mobile app was breached, potentially exposing 1.7 million accounts to risk. Air Canada, however, estimated that information on only 20,000 customers accounts was stolen in the breach, which is thought to have taken place between Aug. 22-24.
The British Airways breach is potentially the first major test for the European Union’s General Data Protection Regulation (GDPR), which has strict requirements on disclosure of breaches, and non-compliance that could result in costly financial penalties.
RiskIQ detected the use of a script associated with a “threat group” RiskIQ calls Magecart. the same set of actors believed to be behind a recent credit card breach at Ticketmaster UK. The Ticketmaster UK breach was the result of JavaScript injected through a third-party service used by the Ticketmaster website, but the British Airways breach was actually the result of a compromise of BA’s own Web server, according to the RiskIQ analysis.
This skimmer is attuned to how British Airways’ payment page is set up, which tells us that the attackers carefully considered how to target this site in particular.
The suspect scripts were detected based on a daily crawl of websites conducted by RiskIQ, which gathers data on more than two billion pages a day. Focusing on how the scripts on the BA site changed over time, the RiskIQ researchers found a modified script within the BA site. Code added to a JavaScript library utilized by the BA site called an API on a malicious Web server at baways.com—a virtual private server hosted by a provider in Lithuania, using a TS certificate registered through Comodo (apparently to raise its appearance of legitimacy) on August 15.
The 22 lines of code are targeted to export the data entered in the BA website’s payment form to the malicious server when the “submit” button was clicked by a customer, with the data being sent as a JSON object. As a result, the transaction would go through for the customer without any errors, while the attackers received a full copy of the customer’s payment information despite the payment apparently being over a secure session. The attackers also added a “touchend” callback to the script, which made the attack functional for users of BA’s mobile app—which called the same, modified script.
While the modified script file’s timestamp matches with the beginning of the attack reported by British Airways, the registration date for the malicious site’s certificate, indicates that the attacker] likely had access to the British Airways site before the reported start date of the attack on August 21st—possibly long before. Without visibility into its Internet-facing web assets, British Airways were not able to detect this compromise before it was too late.
British Airways did not comment on the RiskIQ report, as a criminal investigation is still underway.
