Card Not Present Fraud , Cybercrime , Cybercrime as-a-service

British Airways Finds Hackers Stole More Payment Card Data

Investigators Now Count 429,000 Data Breach Victims
British Airways Finds Hackers Stole More Payment Card Data
Photo: British Airways

British Airways has discovered that hackers compromised payment card data and personal details for 185,000 more customers than it had originally thought, after discovering that its systems had been first compromised not in August, but rather in April. It now counts 429,000 data breach victims.

See Also: H1 2024 - Phishing Frenzy: C-Suite Receives 42x More QR Code Attacks than Average Employee

On Sept. 6, the airline first warned that 380,000 customers' payment cards and personal details may have been stolen by hackers from Aug. 21 to Sept. 5. The breach affected customers who had bought or changed their ticket using the airline's website or mobile app (see: Hacker Flies Away With British Airways Customer Data).

British Airways says it immediately began working with digital forensic specialists at the U.K.'s National Crime Agency to investigate the intrusion.

On Thursday, in a London Stock Exchange news announcement, the airline's parent company, Madrid-based International Airlines Group, announced that the data breach investigation has concluded and that it found that the hack attack had begun earlier than it originally thought.

"The investigation has shown the hackers may have stolen additional personal data," IAG reports.

More Data Breach Victims

British Airways says it's begun notifying two more groups of breach victims:

  • 77,000 payment card holders who were not previously notified, and whose payment card information - including card number, expiry date and CVV - as well as name, billing address and email address may have been compromised.
  • 108,000 payment card holders whose same information - except for CVV - may have been compromised.

British Airways says their information was potentially compromised between April 21 and July 28. This involved only customers who were using their airline frequent-flier miles to make reward bookings and who also used a payment card.

While the airline previously warned that between Aug. 21 to Sept. 5, hackers compromised 380,000 customers' personal information and payment card details, it has reduced that count to 244,000 customers. "Since the announcement on Sept. 6, 2018 British Airways, can confirm that it has had no verified cases of fraud," the company states.

Researchers See Magecart at Work

British Airways has declined to comment on who may have hacked it. But some information security researchers have tied its breach to the work of an umbrella group of cybercrime operators called Magecart (see RiskIQ: British Airways Breach Ties to Cybercrime Group).

Last month, security firm RiskIQ reported finding that card-stealing JavaScript code had been injected into a script on the airline's website.

Magecart specializes in what RiskIQ calls "digital skimmer" software, by which it means malicious code that's designed to scrape payment card data entered by an e-commerce website customer when they pay for a transaction.

"Magecart injects scripts designed to steal sensitive data that consumers enter into online payment forms on e-commerce websites directly or through compromised third-party suppliers used by these sites," Yonathan Klijnsma, a threat researcher at RiskIQ, says in a blog post.

RiskIQ says the British Airways website, plus the booking page, had 30 different scripts loaded, each of which might run up to thousands of lines of code. Comparing scripts on the site before and after the airline's breach notification, Klijnsma says RiskIQ found that one script was "a modified version of the Modernizr JavaScript library ... [that] was loaded from the baggage claim information page on the British Airways website."

Modernizr is a third-party library that Klijnsma says the airline was hosting on its own servers.

RiskIQ says malicious software inserted into websites by Magecart may have breached as many as 800 other e-commerce sites. It says other Magecart victims have included Ticketmaster, e-commerce site Newegg and the Shopper Approved e-commerce service.

Security researchers also report that Magecart infected Feedify, a website push notification service based in India, and then re-infected the site at least two more times after its administrators attempted to expunge the injected code.

After Breach, Class Action Threat

Meanwhile, the British Airways breach has also sparked the threat of a £500 million ($640 million) class action lawsuit by SPG Law, the U.K. branch of U.S. law giant Sanders Phillips Grossman, on behalf of breach victims', for the "inconvenience, distress and misuse of their private information" caused by the data breach (see: British Airways Faces Class Action Lawsuit Over Data Breach).

The group action - aka class action - is legally possible thanks to the EU's General Data Protection Regulation, which came into full effect on May 25. GDPR gives Europeans new compensation rights if their personal data gets mishandled.

GDPR, article 82 excerpt (Source:

GDPR states: "Any person who has suffered material or non-material damage as a result of an infringement of this regulation shall have the right to receive compensation from the controller or processor for the damage suffered."

String of Airline Breaches

On Wednesday, Hong Kong-based airline Cathay Pacific said that personal details for 9.4 million passengers had been inappropriately accessed in March, which it confirmed in "early May." The airline has been criticized for then waiting five months to warn customers (see: Cathay Pacific Says 9.4 Million Affected by Data Breach).

In August, Air Canada reported that it was forcing password resets for 1.7 million users of its mobile app after it detected unusual login behavior that it says may have exposed 20,000 accounts, including customers' passport details (see: Air Canada: Attack Exposed 20,000 Mobile App Users' Data).

Story updated to reflect that the total number of potentially affected breach victims now stands at 429,000 not 565,000, after British Airways clarified that no payment card data or personal information was exposed for the 136,000 individuals over-counted as part of its initial breach report.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.