British Airways has revealed that 380,000 customers have had their credit card details stolen in a “very sophisticated, malicious” cyberattack.
Details entered during online bookings between August 21st and September 5th were compromised. The exposed data included names, physical and email addresses, and full card details – including CVV numbers, which BA says were not stored, meaning that the card details were most likely intercepted rather than having been stolen from BA’s database.
“We are committed to working with any customer who may have been financially affected by this attack, and we will compensate them for any financial hardship that they may have suffered,” said CEO Alex Cruz.
According to BA, all customers affected by the breach were contacted yesterday evening, the day after the incident was first noticed. The company also assured customers that travel and passport information had not been exposed.
Because of the fact that CVV numbers were exposed, and BA were able to give a precise timeline for the period of attack, it has been suggested that the attack was carried out by malicious script added to BA’s website, either directly or via the compromise of a third party, as was the case in the Ticketmaster breach reported a few months ago.
At that time, Risk IQ researchers linked the hack to a vast card-skimming operation by a group referred to as ‘Magecart’, which they believed affected more than 800 websites around the world.
While there’s no evidence so far to suggest a link between the BA hack and Magecart, the fact that injections of card-skimming script appear to have been responsible for so many high-profile attacks means that CISOs, particularly at companies with major e-Commerce operations, need to be paying particularly close attention to the security and integrity of their company websites.
Update: Researchers have since determined on the basis of similarities between script found on the affected page, the Magecart script – which may be more usefully thought of as a tool used by multiple groups, rather than as a single organised campaign – was in fact most likely behind the attack.