Last week the British airline British Airways admitted the theft of data from some 380,000 transactions on its website made between August 21 and September 5 of this year . Names, email addresses, bank accounts, and other sensitive information were compromised. Now, researchers at threat detection firm RiskIQ have shed new light on how the attackers carried out the heist.
According to this security company, to obtain the data, cybercriminals placed a script on the airline's website. This method, known as a supply chain attack, is an increasingly common problem for pages that incorporate code from third-party vendors. To give you an idea, these third parties can provide code to place advertising, allow login or allow authorization of payment. This is not the only case that we have known similar in recent months . Ticketmaster ticketing company suffered such an attack that affected some 40,000 users in the UK.
RiskIQ have also commented that the script was linked to the British Airways baggage claim information page. It was last modified before the breach was in December 2012. Investigators quickly realized that attackers revised the component to include code (only 22 lines), which is often used in clandestine manipulations. The malicious code took data that customers entered into a payment form and sent it to an attacker-controlled server when a user clicked or tapped a submit button. The attackers even paid to set up a security certificate for their server, a credential that confirms that a server has web encryption enabled to protect data in transit.
These are not good times for British Airways. Last May and July, the company had to cancel and delay some flights due to power failures, which resulted in complaints from its customers. Now 38,000 committed transactions. The UK National Crime Agency is already investigating this event. If you discover that British Airways has been negligent in protecting its users' data, you could be fined up to 4% of your global profits.