Blog

It had to happen again, because it always does with alarming regularity.

But the exposure of 380,000 BA customer payment cards is one of the biggest single UK payment card security gaffes ever.

BA said the stolen data did not include travel or passport information.

It did, however, include the personal and financial details of those booking travel via the BA website and mobile app during the affected period.

Compromised information includes card numbers and CVV codes.
The attackers must be in cyber heaven.

If you’re looking for clues as to how the hack happened, the fact that only card information was stolen is a big one, suggesting the information was lifted from online payments just as they were being made.

This gains further weight when BA said; “From 22:58 BST August 21 2018 until 21:45 BST September 5 2018 inclusive, the personal and financial details of customers making bookings on our website and app were compromised.”

We can only speculate to how the attack was carried out but it wouldn’t be a long shot to suggest that a third party script was compromised.

• Most websites today have integrated third party scripts from a variety of sources.
• Often these scripts, loaded from vendor servers such as ad servers, analytics, or marketing, lack the level of security needed to protect visitors to the site.
• Third party scripts you likely see every day include banners, search boxes, games, videos, polls and social buttons.
• Third party code is only activated on a visitor’s web browser. This means that the company’s main site’s web server and their security measures are bypassed.
• If attackers discover a vulnerability in a third party script they can embed malicious code that can snoop and steal information such as credit card data when payments are being made and then funnel it elsewhere.