More than six weeks after British Airways (BA) revealed that hackers had skimmed the unprotected card details of over 380,000 people from its systems, the flag carrier says it has found out that the attack was both better – and worse than initially thought.
Investigations by specialist cyber forensic investigators and the National Crime Agency have revealed that the hackers may have stolen the details of a further 77,000 payment cards with CVV details and an additional 108,000 without the CVV.
British Airways Hack Update: Both Better (and Worse) than Thought
The “potentially impacted” customers were those making reward bookings between April 21 and July 28, 2018, and who used a payment card, BA said.
There was a silver lining though: of the initial 380,000 initially thought compromised, the number was in fact 244,000.
(Cybersecurity company RiskIQ meanwhile says it has identified the 22 lines of code that facilitated the Magecart attack, claiming the script was a modified version of the Modernizr JavaScript library, version 2.6.2)
See also: Magecart Stockpiling Magento Extension 0days: Is Your Business at Risk?
British Airways Hack Update: No Fraud (Yet)
The airline said Thursday: “While we do not have conclusive evidence that the data was removed from British Airways’ systems, we are taking a prudent approach in notifying potentially affected customers, advising them to contact their bank or card provider as a precaution.” The airline: “Crucially, we have had no verified cases of fraud.”
The company concluded, rather contradicting its above statement: “As we have been doing, we will reimburse any customers who have suffered financial losses as a direct result of the data theft.” Computer Business Review has contacted the airline to clarify whether any customers have, or have not suffered financial losses.
Read this: The Cathay Pacific Hack: Should You Really Care? (And What’s a Passport Number Worth on the Dark Web?)
RiskIQ described the attack, which it attributed to the notorious Magecart threat group as a “simple but highly targeted approach”.
Tthe company described this skimmer as “very much attuned to how British Airway’s payment page is set up, which tells us that the attackers carefully considered how to target this site instead of blindly injecting the regular Magecart skimmer.”
“The infrastructure used in this attack was set up only with British Airways in mind and purposely targeted scripts that would blend in with normal payment processing to avoid detection.”