BA data breach: what we’ve learnt so far

BA data breach: what we’ve learnt so far

The likely cause of the airline’s breach could affect many other companies – with potentially severe consequences.

While British Airways itself has not disclosed very much about its recent breach, the security industry has been more vocal.

The likely cause of the airline’s data breach could very easily affect many smaller companies.

The likely cause of the airline’s data breach – in which nearly 400,000 customers’ personal and financial data was compromised – is something that could very easily affect many smaller companies.

It seems likely that a hacking group called Magecart used a technique called cross-site scripting (or XSS). This would have injected malicious JavaScript code into a BA server or servers. The code would copy all the checkout information that went through the server (normally containing payment details, name, address and phone number), and then send it to the attacker.

XSS is a well-known vulnerability. It’s actually on the Open Web Application Security Project’s (OWASP) top-10 list of the most critical security risks, coming in at number three.

Magecart is believed to have recently attacked several other companies using the same method, including Ticketmaster, Feedify, ABS-CBN and most recently Newegg. In the case of Feedify, Magecart added their malicious code to one of the files Feedify customers use in their own websites, so that the impact could be much larger. 

Even though Magecart seem to have focused on larger companies, this could easily change. Other hackers could also start copying this attack.

Attackers continue to exploit basic vulnerabilities that companies don't address.

Attackers continue to exploit basic security vulnerabilities and companies still allow these vulnerabilities to exist. Until this changes, the advantage is squarely with the attacker.

The Information Commissioner’s Office (ICO) has traditionally taken a dim view of companies that haven’t done the basics right. This is likely to be even more the case following the implementation of the General Data Protection Regulation on 25 May, and could well influence the size of any fines that the ICO issues.

So what should companies do, especially those with online payments? First, they should check that their websites are not vulnerable to XSS attacks, either by using a vulnerability scanner or a security vendor. Second, they should seriously consider cyber insurance, which would cover defence and litigation costs as well as the costs to mitigate the breach itself.

For more information, please contact Peter Erceg on:

+44 (0)20 7933 2608