On Thursday, September 6th, British Airways announced they were the latest target of a data breach involving compromised credit card data of around 380,000 consumers.
In a statement, the airline clarifies how passport information was not affected by the breach. Financial details were said to be stolen between August 21 and September 5 from both the British Airways website and mobile application.
Due to negligence in data protection, British Airways may have a 4% fine in their hands, as GDPR data protection laws strictly target the global annual income of businesses that make such errors.
According to a security firm, hackers used skimming malware to gain access to consumer payment information. RiskIQ researcher Yonathan Klinjnsma explains how it took only 22 lines of injected code into the airline’s mobile and web platform for the breach to occur. Such online-skimming tactics aren’t new, as Ticketmaster UK was also hit by a similar breach back in June, this caused by the same hacker operatives known as “Magecart”.
“Magecart injects scripts designed to steal sensitive data that consumers enter into online payment forms on e-commerce websites directly or through compromised third-party suppliers used by these sites.”
Hackers specifically customized their coding structure to avoid any possible detection. Once consumers inputted their credit card information and hit “submit”, such data was “extracted…and sent to the attacker’s server,” Klinjnsma reports. Consumer names, including email and billing addresses were also collected.
“Magecart is [still] an active threat…[and has] been active since 2015…” he says. Hackers using this technique of information theft “have continually refined their tactics…to maximize [their] return…”
Consumers of the airline have been urged to get a new card after the breach was reported.
To avoid any further situations such as this, companies must always take precautionary steps of heightened security to ensure consumer data is safe, especially when sensitive information is involved.