The British Airways Hack - What went Wrong

  • 01 Sep 2019
  • Business Security, Data Breaches, Web Applications

Between August 21 and September 5 British airways suffered a drastic breach of user data including home addresses, credit card information and phone numbers. The perpetrators are unknown but they managed to steal around 500,000 users data with only 22 lines of code.

This code was hidden in a Modernizr version which was initially intended to detect browser features, This script was stored stored on British airways baggage claim subdomain.This was edited by the attacker adding the 22 lines of malicious code. This code was then loaded and pulled directly from payment forms when they submitted it to BA. BA plan to reimburse customers who suffer “direct financial losses” but many are getting ready to get further compensation for their loss of data. On top of these most likely large lawsuits if their future BA have been slapped with a £183.39m fine due to infringement of GDPR.

This attack is a little different to the one seen against Ticketmaster 2017-2018 where Ticketmaster was loading scripts from a 3rd party which were not checked for integrity. Brithish Airways was loading a script from one of their own trusted subdomains

although any subdomain on your domain is assumed to be trusted this may this is probably not the best way to manage the problem of loading scripts. Whenever a script is loading from any external source be that a trusted subdomain or external repository they must have integrity checks to ensure the script has not been edited without consent.

A penetration test on British airways web infrastructure should have flagged javascript being loaded without integrity checking. It is surprising that this issue was not caught earlier and prevented. The amount of access an attacker would have had to have to edit resources on one of their servers would have had to be substantial. A penetration test would have allowed hardened their infrastructure from such attacks and should have made it more difficult for an attacker to enter into their systems.





Share this page

Go back