Criminals were able to steal even the CVV codes on passengers’ credit cards during the cyber attack.
A cybersecurity firm has found malicious code embedded in the British Airways website and app, which could have eased the recent theft of data relating to 380,000 transactions.
Researchers at RiskIQ found evidence of the code, which operates similar to a card skimming device, on the BA website during the attack between August 21 and September 5 – and said it had been active from August 15, six days before the passengers’ transactions began to be compromised, TTG and the BBC are reporting today.
It is likely that the criminals behind the attack “had access to the British Airways site before the reported start date of the attack – possibly long before”, the analysts said.
Alex Cruz, the airline’s chief executive, has since confirmed that details of names, addresses, email addresses, card numbers, expiry dates and even CVV codes were “stolen”.
The technicalities of the theft have so far centred around the confirmation that among the stolen data was customers’ crucially important three-digit CVV codes.
Retailers are prohibited from storing these codes at any stage of a transaction, leading RiskIQ to believe the theft may have been less of a data hack and more of a data intervention while it is in transit between BA and its consumers.
“Since 2016, RiskIQ has reported on the use of web-based card skimmers operated by the threat group Magecart,” the firm said in a research note this morning.
“Traditionally, criminals use devices known as card skimmers – devices hidden within credit card readers on ATMs, fuel pumps, and other machines people pay for with credit cards every day – to steal credit card data for the criminal to later collect and either use themselves or sell to other parties. Magecart uses a digital variety of these devices.
“Magecart injects scripts designed to steal sensitive data that consumers enter into online payment forms on e-commerce websites directly or through compromised third-party suppliers used by these sites.
“Recently, Magecart operatives placed one of these digital skimmers on Ticketmaster websites through the compromise of a third-party functionality, resulting in a high-profile breach of Ticketmaster customer data.
“Based on recent evidence, Magecart has now set their sights on British Airways.”
The group added: “As we’ve seen in this attack, Magecart set up custom, targeted infrastructure to blend in with the British Airways website specifically and avoid detection for as long as possible.”
A British Airways spokesperson said: “As this is a criminal investigation, we are unable to comment on speculation.”