NormShield Blog

British Airways Breach: Is it a third-party attack?

Your ecosystem

British Airways (BA) announced that 380,000 customer records containing credit card details had been taken during the cyber attack executed between 21 August and 5 September. As one of the major data breach in 2018, the cyber attack, though still fresh, has been speculated by many respectful cyber security researchers about  the cause of the attack and responsibility of the airline to comply certain regulations.

The malicious code on the payment website may be the source.

The source of the attack, not disclosed by British airways and currently under investigation, is most likely the website applications rather than a direct hit to the BA’s database.  Marcus Greenwood, head of UBIO, analysed the web page for payment process of British Airways and discovered that seven external domains that include files from analytics, customer service, and A/B testing tools loaded, external applications which “should not be present on web pages processing customer card data”.

British Airways Breach Leak

Image shown in Greenwood’s medium post (https://medium.com/the-automator/so-about-that-ba-hack-a82e5701f095)

It seems that these external domains make the payment page vulnerable to cross-site scripting (XSS) attacks, an attack which can be performed via any JavaScript file loaded to steal the card details and post to another 3rd party domain.

Thus, as the customer typed their credit card details and personal information, a malicious Javascript code in BA’s website (or in their mobile app) may have been smuggling these details to the sites where cyber criminals have access.

Mustafa Al-Bassam, a doctoral researcher in the UK and a former black hat hacker with LulzSec, provided a complaint under EU GDPR to British Airways before the attack about BA’s check-in page leaking personal information “to countless third parties for advertising purposes, including Twitter, LinkedIn and Google Doubleclick”. In a comment to Al-Bassam’s claims requested by an online news source, British Airways spokesperson told that “the airline had changed JavaScript on the site immediately before the breach as a result of his complaint”.

British Airways Breach Mail

Image: Introduction of Al-Bassam’s complaint posted at https://gist.github.com/musalbas/15420ee8318347a76a0fb3a120825e00

Third-party applications become a major source of data breach

The third-party software applications has become a useful tool for hackers to infiltrate major companies. Another airline company, Delta airlines, experienced data breach because of third-party attack through an online chat application in April (BestBuy, Sears, and KMart are other major companies suffer data breach because of the same application). TicketMaster data breach in June is another third-party attack through an external website application. Whether it is an online form, chatbot, survey application, analytics tool, or a social media extension, software in supply-chain could cause major data breaches.

Falling to meet the regulations such as PCI-DSS (if credit card information is processed) or EU GDPR (if any personal information from an EU citizen is requested) may cause high penalties and major reputation loss. You have to be regularly monitor your company and any third-party vendor and software for compliance. For instance, checking whether your website is GDPR-compliant or not is vital to avoid high penalties that may be forced by EU and you may use free GDPR-compliant checker as a start.

Your ecosystem

Monitoring the cyber risk of your ecosystem that consists of your company and any third-party vendor is crucial. A tool such as NormShield Cyber Risk Scorecard may help you tell your ecosystem risk. Note that your ecosystem multiplies your risk. Learn your score here.