In 2018, British Airways (BA) suffered a major cyber attack that exposed the personal and financial data of hundreds of thousands of customers. Attackers used a card skimming technique to steal information directly from the airline's website and mobile app. This breach led to a significant GDPR fine and highlighted the growing threat of web-based supply chain attacks.
British Airways Data Breach Explained: What Happened?
The British Airways data breach was a sophisticated cyberattack in which threat actors compromised BA's website. They injected malicious code that skimmed customer payment card details in real-time as they made bookings. Discovered in September 2018, the breach exposed sensitive personal and financial information, leading to one of the largest fines issued under GDPR at the time.
When Did the British Airways Data Breach Happen?
The attack took place over a 15-day period, from August 21, 2018, to September 5, 2018. British Airways publicly disclosed the breach on September 6, 2018, shortly after discovering the malicious activity on its systems.
Who Hacked British Airways?
The attack was attributed to Magecart, a notorious cybercrime syndicate specializing in digital credit card skimming. Magecart groups are known for targeting online shopping carts and payment pages by injecting malicious JavaScript to steal customer data. They've hit numerous high-profile e-commerce sites, and the BA attack remains one of their most significant operations.
How Did the British Airways Breach Happen?
The attackers gained access to the British Airways network through compromised credentials for a third-party supplier's system. From there, they were able to modify a key JavaScript file on the BA website, a classic Magecart move. This malicious script was designed to capture customer data from the payment page and send it directly to a server controlled by the attackers.
British Airways Data Breach Timeline
August 21, 2018: Attackers inject malicious code into the British Airways website and mobile app, beginning the data skimming campaign.
September 5, 2018: A third-party security researcher notifies British Airways of the malicious activity. BA’s internal teams confirm the breach and remove the code.
September 6, 2018: British Airways publicly discloses the data breach, begins notifying affected customers, and contacts relevant authorities.
October 2020: The UK's Information Commissioner's Office (ICO) issues a final penalty of £20 million for GDPR violations related to the breach.
Technical Details
The core of the attack was the modification of the Modernizr.js JavaScript library on the British Airways website. Attackers added just 22 lines of malicious code to this legitimate file. This code was designed to activate on the payment confirmation page, where it would scrape form fields containing names, addresses, and full credit card details (including CVV numbers). The captured data was then exfiltrated to a server at baways.com, a domain set up by the attackers to mimic the real BA site.
Indicators of Compromise (IoCs)
Key IoCs associated with the British Airways breach include:
Malicious Domain: baways.com
Malicious Script: A modified version of Modernizr.js containing skimming code.
Attack Vector: Compromise of a third-party supplier's credentials leading to unauthorized access and modification of website code.
Forensic and Incident Investigation
Investigations led by the UK's ICO found that British Airways had failed to implement adequate security measures to protect its network and customer data. The probe revealed poor security arrangements on several fronts, including limited multi-factor authentication, a lack of rigorous testing on business-critical systems, and insufficient protection of the broader network. These failings allowed attackers to gain initial access and remain undetected for over two weeks.
What Data Was Compromised in the British Airways Breach?
The breach exposed a significant amount of sensitive information. The attackers specifically targeted data entered during the booking process. The compromised data included:
Personal Identifiable Information (PII): Full names, billing addresses, and email addresses.
Financial Information: Credit card numbers, expiration dates, and CVV codes.
Notably, travel and passport details were not affected. The data was exfiltrated directly from the website and was not encrypted at the point of theft.
How Many People Were Affected by the British Airways Data Breach?
The breach impacted approximately 429,000 customers and staff. This figure includes individuals who made bookings on the BA website and mobile app during the 15-day attack window.
Was My Data Exposed in the British Airways Breach?
British Airways directly notified all customers it identified as being affected by the breach. If you made a booking between August 21 and September 5, 2018, and did not receive a notification, your data was likely not compromised. The airline advised affected individuals to contact their banks or credit card providers for guidance on monitoring their accounts for suspicious activity.
Key Impacts of the British Airways Breach
The fallout from this breach was massive and hit BA on multiple fronts.
Financial Loss: The ICO initially intended to fine British Airways £183 million, but this was later reduced to £20 million due to the economic impact of the COVID-19 pandemic. The company also faced costs related to customer compensation and legal fees.
Reputational Damage: The breach severely damaged customer trust. The flag carrier of the United Kingdom failing to protect payment data led to widespread negative press and public outcry.
Regulatory Scrutiny: The incident became a landmark case for GDPR enforcement, demonstrating the serious financial consequences of failing to protect customer data.
Response to the British Airways Data Breach
British Airways acted quickly once the breach was discovered. The airline's response included:
Immediately removing the malicious code from its website.
Launching a full investigation with help from cybersecurity experts.
Notifying affected customers and advising them to take protective measures.
Coordinating with law enforcement and the National Cyber Security Centre (NCSC).
Publicly apologizing and offering to reimburse customers for any financial losses.
Lessons from the British Airways Data Breach
This incident offers some hard-learned lessons for any organization with an online presence.
Third-Party Risk is Your Risk: Compromised credentials from a supplier were the entry point. You need to hold your partners to the same security standards you hold yourself. Vet your vendors!
Web Skimming is a Major Threat: Attackers are targeting websites directly. Regularly monitoring your web assets for unauthorized changes is non-negotiable.
Basic Security Hygiene is Critical: The ICO pointed to a lack of multi-factor authentication (MFA) and other basic controls. Nailing the fundamentals can prevent a catastrophic breach. Don't skip the basics.
GDPR Has Teeth: The massive fine, even after being reduced, proved that regulators are serious about data protection and will penalize non-compliance heavily.
Is British Airways Safe after the Breach?
Following the breach, British Airways implemented "considerable" security improvements. The company worked with cybersecurity experts to overhaul its security protocols, enhance monitoring capabilities, and strengthen access controls to prevent a similar incident. While no organization can ever be 100% immune to attack, BA took significant steps to fortify its defenses.
Mitigation & Prevention Strategies
Don't let what happened to BA happen to you. Here are some practical steps to defend against similar web-skimming attacks:
Enforce Multi-Factor Authentication (MFA): Implement MFA across all critical systems, especially for remote access and third-party accounts.
Monitor Your Web Assets: Use file integrity monitoring and other tools to detect unauthorized changes to your website's code, especially critical JavaScript files.
Patch Everything, Always: Keep all systems, software, and applications updated with the latest security patches to close known vulnerabilities.
Implement a SIEM: Use a Security Information and Event Management (SIEM) solution to gain visibility into your network and detect suspicious activity in real time.
Vet Your Supply Chain: Scrutinize the security practices of all third-party vendors with access to your network or data.
Related Data Breach Incidents
MOVEit
Okta
MGM Resorts
British Airways Data Breach FAQs
Businesses can prevent similar attacks by enforcing strict access controls with multi-factor authentication (MFA) and regularly monitoring website code for unauthorized changes. It's also critical to manage third-party risk by vetting vendors and limiting their access to only what is necessary.
Protect What Matters
