A cyber security firm claims to have discovered a malicious script injected into the British Airways website, which could be the cause of the data hack that affected 380,000 customer transactions.
BA said it was unable to comment on a BBC report that said a RiskIQ researcher analysed code from the airline’s website and app around the time when the breach began, in late August.
He is said to have found evidence of a “skimming” script designed to steal financial data from online payment forms.
A very similar attack, dubbed Magecart, affected the Ticketmaster website recently, which RiskIQ said it also analysed in depth.
The company said the code found on the BA site was very similar, but appeared to have been modified to suit the way the airline’s site had been designed.
“This particular skimmer is very much attuned to how British Airway’s payment page is set up, which tells us that the attackers carefully considered how to target this site instead of blindly injecting the regular Magecart skimmer,” the researcher wrote in a report on the findings.
“The infrastructure used in this attack was set up with British Airways in mind and purposely targeted scripts that would blend in with normal payment processing to avoid detection.”
Hacks like this make use of an increasingly common phenomenon, in which large websites embed multiple pieces of code from other sources or third-party suppliers.
Such code may be needed to do specific jobs, such as authorise a payment or present ads to the user. But malicious code can be slipped in instead – this is known as a supply chain attack, according to the BBC.
In BA’s case, hackers stole names, email addresses and credit card details – including the long number, expiry date and the three-digit CVV security code.
“As this is a criminal investigation, we are unable to comment on speculation,” BA said.
A spokesman for the UK’s National Crime Agency said it was aware of the RiskIQ report but would not be commenting at this time.
RiskIQ recommended that BA customers affected by the breach get a new debit or credit card from their bank.
The firm warned that whoever was behind the attack had apparently decided to target specific brands and that more breaches of a similar nature were likely.
“There is a very clear emerging risk where the weakest link in payment processes is being actively targeted,” cyber-security expert Kevin Beaumont told the BBC.
“And that weakest link in the chain is often by placing older systems or third-party code into the payment chain.”