British Airways Modernizr skimmed payments

British Airways was hit through its own web distribution path. Between August 21 and September 5, 2018, customers using BA's website and mobile app loaded JavaScript that looked like normal site code. The payment flow still worked. A copy of the data went elsewhere.

RiskIQ traced the skimmer to BA's self-hosted Modernizr JavaScript. The attacker appended a small, custom block to the file rather than loading an obvious foreign script. The code watched the payment form, serialized customer and card fields, and sent them to baways.com, a domain chosen to blend in with British Airways naming.

The target was narrow and efficient. The malicious code captured names, billing addresses, email addresses, payment card numbers, expiry dates, and CVV values from customers buying tickets. Public reporting and the ICO put the affected population above 400,000 people, while early BA reporting cited about 380,000 payment-card transactions.

RiskIQ attributed the operation to Magecart. The ICO later fined British Airways 20 million pounds, finding that the attack went undetected until a third party notified the airline. BA removed the malicious code quickly after discovery, but for fifteen days the official checkout path was the skimmer.

Motive

Financial Gain

Attribution

Group

Cause

Website Compromise

Transitive

No

Actor

Magecart

User Impact

380000

• Inside the Magecart Breach of British Airwaysriskiq.com
• British Airways Data Breach Conducted via Malicious JavaScript Injectioninfoq.com
• British Airways Breach: Magecart Formgrabbing Supply Chain Attack Detectionsecuronix.com
• British Airways breach was effected by Magecart attackershelpnetsecurity.com
• ICO fines British Airways 20m for data breach affecting more than 400,000 customersico.org.uk