British Airways have reported two substantial data breaches this year, initially reporting in September the compromise of 244,000 credit card transactions in August and September, and further disclosing in October another 185,000 transactions affected from April through July.
San Francisco-based cybersecurity company RiskIQ has provided a detailed analysis of how the British Airways security breach occurred via the injection of malicious JavaScript source code and configuring of server infrastructure that would appear related to British Airways.
The compromised source code is reported by RiskIQ to be the injection of 22 lines of JavaScript source code into British Airways' usage of Modernizr and jQuery. There is nothing inherently insecure in using either Modernizr or jQuery, but the script added to the version used on the British Airways website would read the data from the credit card form during payments, and send a copy of this data to "baways.com", a website assumed to be owned by the attackers, in addition to sending the data correctly to the British Airways backend. The culprit was able to complete this attack by modifying production source code on the British Airways website.
RiskIQ attributes the security compromise to Magecart, a group also responsible for data breaches of Ticketmaster and Newegg:
Since 2016, RiskIQ has reported on the use of web-based card skimmers operated by the threat group Magecart. Traditionally, criminals use devices known as card skimmers—devices hidden within credit card readers on ATMs, fuel pumps, and other machines people pay for with credit cards every day—to steal credit card data for the criminal to later collect and either use themselves or sell to other parties. Magecart uses a digital variety of these devices.
Magecart injects scripts designed to steal sensitive data that consumers enter into online payment forms on e-commerce websites directly or through compromised third-party suppliers used by these sites. Recently, Magecart operatives placed one of these digital skimmers on Ticketmaster websites through the compromise of a third-party functionality resulting in a high-profile breach of Ticketmaster customer data. Based on recent evidence, Magecart has now set their sights on British Airways, the largest airline in the UK.
The data breach impacted web browser and mobile app credit card transactions because they leverage the same compromised source code. For the first data breach reported, an initially reported number of 380,000 compromised transactions was later reduced by British Airways to 244,000.
The mechanism for the second data breach is currently unknown. The data breach is reported to have occurred when making award flight bookings which require user authentication before proceeding to make a transaction. Thus it is not as straightforward to view public archives of the source code during the time of the data breach.
The first line of defense against an attack like this is to detect intrusions to infrastructure. However, in this case, British Airways was reportedly unaware of an intrusion. The next line of defense is to verify that production JavaScript source code is not modified unexpectedly. One solution is to implement an external monitoring system that detects any changes to public-facing source code, verifying that any reported changes match intentional changes. This verification can be automated by verifying checksums.
The recently finalized W3C standard for Subresource Integrity, supported by Edge, Chrome, Firefox, and Safari, may also help prevent such attacks, in particular for third-party scripts. However, in the case of the British Airways hack, the attacker likely would have also changed the integrity hash within the script tag that loaded the compromised JavaScript source code.