#BritishAirwaysHack: All it took was 22 lines of code
Following a massive security breach that left the data of 380,000 British Airways customers compromised, cybersecurity firm RiskIQ has now found that it took hackers a mere 22 lines of code to steal the data. Meanwhile, UK law enforcement agencies, including the National Crime Agency and the National Cyber Security Centre, are still continuing their investigations into the hack. Here are the details.
"The personal and financial details of customers making bookings on our website and app were compromised. The breach has been resolved and our website is working normally. We've notified the police and relevant authorities," British Airways had said after the breach.
Drawing on earlier experience, RiskIQ speculated that a hacker group called Magecart was behind the British Airways hack. Magecraft was also responsible for the Ticketmaster UK hack earlier this year, which saw the data of 400,000 customers getting compromised. Notably, Magecraft's modus operandi involves injecting lines of malicious code into payment forms - an MO which was abundantly clear in the British Airways hack.
"The Magecart actors have been active since 2015 and have never retreated from their chosen criminal activity. Instead, they have continually refined their tactics and targets to maximize the return on their efforts," said RiskIQ in a statement.
RiskIQ found that the hackers, using 22 lines of code, modified a Modernizr javascript version 2.6.2 (a library that detects user actions like clicks and taps) on British Airways' website to steal customers' data between August 21 and September 5. The modification allowed BA customers' data to be uploaded to the hackers' servers any time someone clicked the 'Submit' button on a payments form.
Several experts have noted that the British Airways should have detected the change to its code on its production server. The hack has landed the airlines in a fix, and a law firm called SPG law is currently contemplating suing BA for £500 million - it has already put up a dedicated website where affected users can make a claim.
