Has the cause of the BA data breach been identified?

Last week it was announced that the personal and financial details of 380,000 British Airways customers had been stolen by cyber criminals.

The latest news reports claim that the cause of the data breach has been identified by a RiskIQ researcher, who has analysed the code from BA’s website and app. They say that there is evidence of a “skimming” script designed to scrape data from online payment forms.

BA’s response is that “As this is a criminal investigation, we are unable to comment on speculation.”

Skimming script linked to criminal group Magecart

If this skimming is proven, it would be a similar attack to the one that hit the Ticketmaster website earlier this year, which has been linked to the criminal hacking group Magecart.

It is claimed that Magecart’s approach is to “inject script designed to steal sensitive data that consumers enter into online payment forms on e-commerce websites directly or through compromised third-party suppliers used by these sites”.

RiskIQ adds that it has been able to identify 22 lines of modified JavaScript that grabbed data from BA’s online payment form and sent it to the criminal hackers’ server as soon as the customer clicked ‘submit’.

Magecart is known to attack online retailers across the globe using malicious JavaScript, so the BA breach seems to chime with its modus operandi, although we may have to wait several months for the formal investigations to be completed.

Likely long term implications for BA

Although BA reported the breach within the 72-hour timeframe required under the GDPR (General Data Protection Regulation), the organisation has still suffered through a fall in share value and customer discontent. After all, as well as customers’ personal details and credit card numbers being stolen, the crooks were also able to scrape the three and four-digit card security codes, which are the last line of defence against online fraud.

The CVV security codes are not supposed to be stored on merchants’ websites under the PCI DSS (Payment Card Industry Data Security Standard), so a breach of this data is rare. To date, BA’s public statements and emails to customers haven’t explained how it lost such critical data.

Under the GDPR, a fine of up to 4% of global annual revenue is possible, so BA could be hit with a £500 million penalty.

92% of UK organisations breached

According to Carbon Black, 92% of UK organisations have been breached in the past year, so no one can be complacent.

Cyber security and breach readiness must be prioritised within business operations to ensure that organisations and individuals reduce risk and are able to act effectively when a breach occurs.

Our resources can help you prepare for the inevitable. With staff awareness, books, consultancy and software solutions, we have an option to suit your needs.