British Airways Data Breach The Work of Magecart | Xuper IT | News

British Airways data breach could be the work of Magecart

On September 6th, British Airways reported it had suffered a data breach that was believed to have affected around 380,000 customers. The airline stated personal and financial details for customers making or changing bookings on the website and mobile app (between Aug. 21 and Sept. 5) had been compromised, but the stolen data did not include travel or passport details.

Following research by threat intelligence company, RiskIQ Inc., it’s been revealed that based on their analysis of the evidence, they suspect the data breach may have been the handiwork of threat actor group, Magecart. Magecart focuses on online credit card skimming attacks and is believed to be behind the Ticketmaster data breach which was discovered in June 2018.

The Ticketmaster breach was caused by a web-based credit card skimming scheme that was targeting e-commerce sites worldwide. The RiskIQ team believed the breach was the work of Magecart, and was likely not an isolated incident, but part of a larger campaign. RiskIQ researcher Yonathan Klijnsma stated in a blog post that because the British Airways data breach announcement said the breach affected the website and mobile app, but made no mention of databases or servers, he noticed similarities with the Ticketmaster breach.

These similarities between the Ticketmaster breach and the British Airways breach led the RiskIQ team to look into Magecart’s activity. Klijnsma said that due to the reports only covering customer data stolen directly from payment forms, they immediately suspected Magecart. Following the attack on Ticketmaster, RiskIQ were able to find the entire trail of the incident and discover more website affected by online credit card skimming.

Hwoever, the one key difference in the attack was Magecart directly targeting the British Airways site, rather than a third-party service as they had done previously, showing that they planned their attack around British Airways unique site structure and functionality. The mobile app also uses very similar functionality as the website, and therefore could be hijacked in the same way.

Klijnsma wrote: “While we can never know how much reach the attackers had on the British Airways servers, the fact that they were able to modify a resource for the site tells us the access was substantial, and the fact they likely had access long before the attack even started is a stark reminder about the vulnerability of web-facing assets.”

Magecart, RiskIQ noted, has been active since 2015 and has been growing progressively more threatening as it targets particular brands and companies.