The British Airways Hack - What went Wrong
- 01 Sep 2019
- Business Security, Data Breaches, Web Applications
Between August 21 and September 5 British airways suffered a drastic breach of user data including home addresses, credit card information and phone numbers. The perpetrators are unknown but they managed to steal around 500,000 users data with only 22 lines of code.
This code was hidden in a Modernizr version which was initially intended to detect browser features, This script was stored stored on British airways baggage claim subdomain.This was edited by the attacker adding the 22 lines of malicious code. This code was then loaded and pulled directly from payment forms when they submitted it to BA. BA plan to reimburse customers who suffer “direct financial losses” but many are getting ready to get further compensation for their loss of data. On top of these most likely large lawsuits if their future BA have been slapped with a £183.39m fine due to infringement of GDPR.
This attack is a little different to the one seen against Ticketmaster 2017-2018 where Ticketmaster was loading scripts from a 3rd party which were not checked for integrity. Brithish Airways was loading a script from one of their own trusted subdomains baggageclaim.brithishairways.com.
although any subdomain on your domain is assumed to be trusted this may this is probably not the best way to manage the problem of loading scripts. Whenever a script is loading from any external source be that a trusted subdomain or external repository they must have integrity checks to ensure the script has not been edited without consent.