On Friday, British Airways disclosed[1] a data breach impacting customer information from roughly 380,000 booking transactions made between August 21 and September 5 of this year. The company said that names, addresses, email addresses, and sensitive payment card details were all compromised. Now, researchers from the threat detection firm RiskIQ have shed new light on how the attackers pulled off the heist.
RiskIQ published details tracking the British Airways hackers' strategy on Tuesday, also linking the intrusion to a criminal hacking gang that has been active since 2015. The group, which RiskIQ calls Magecart, is known for web-based credit card skimming—finding websites that don't secure payment data entry forms, and vacuuming up everything that gets submitted. But while Magecart has previously been known to use the same broadly targeted code to scoop up data from various third-party processors, RiskIQ found that the attack on British Airways was much more tailored to the company's specific infrastructure.
"We’ve been tracking the Magecart actors for a long time and one of the developments in 2017 was ... they started to invest time into targets to find ways to breach specific high-profile companies, like Ticketmaster," says RiskIQ threat researcher Yonathan Klijnsma. "The British Airways attack we see as an extension of this campaign where they’ve set up specialized infrastructure mimicking the victim site."
In its initial disclosure, British Airways said that the breach didn't impact passport numbers or other travel data. But the company later clarified that the compromised data included payment card expiration dates and Card Verification Value codes—the extra three or four-digit numbers that authenticate a card—even though British Airways has said it does not store CVVs. British Airways further noted that the breach only impacted customers who completed transactions during a specific timeframe—22:58 BST on August 21