The British Airways (BA) data breach may have gone on far longer than first thought, as security researchers suggest the perpetrators may have gained access to customer data at least a week before the attack is thought to have happened.
Security researchers from threat-management company RiskIQ claim to have used data accrued from crawling the web to ascertain how the attackers managed to gain access to the payment data of 380,000 of the airline’s customers between 21 August and 5 September 2018.
As reported by Computer Weekly on 7 September, the attackers are understood to have accessed the data of customers who used the BA website and mobile app between these dates.
In a blog post, RiskIQ outlined its findings from analysing the infrastructure setup used by the hackers to carry out the attack, including the revelation they used a paid-for SSL certificate “to make it appear like a legitimate server.”
“What is interesting to note from the certificate [they] used is that it was issued on August 15th, which indicates they likely had access to the British Airways site before the reported start date of the attack on August 21st – possibly long before,” the blog post said.
“Without visibility into its internet-facing web assets, British Airways was not able to detect this compromise before it was too late.”
RiskIQ’s findings also suggest BA was the victim of a highly-targeted attack, carried out by a web-based credit card skimming threat group known as Magecart, which has previously been linked to a similar breach at online ticket selling site Ticketmaster.
The group is thought to inject scripts directly into online payment forms on e-commerce websites, or through compromised third-parties, that are used to lift the payment card details of customers.
One noticeable difference between previous attacks and the one against BA is that Magecart appears to have customised the “credit card skimmer” script in this instance, the blog post said.
“This attack is a simple but highly targeted approach compared which what we’ve seen in the past with the Magecart skimmer, which grabbed forms indiscriminately.”
“This particular skimmer is very much attuned to how British Airways’ payment page is set up, which tells us the attackers carefully considered how to target this site instead of blindly injecting the regular Magecart skimmer.
“The infrastructure used in this attack was set up only with British Airways in mind, and purposely targeted scripts that would blend in with normal payment processing to avoid detection,” it said.
“Companies, especially those that collect sensitive financial data, must realise they should consider the security of their forms – but also the controls that influence what happens to payment information once a customer submits it,” the blog post concluded.
Computer Weekly contacted BA and its parent company, International Airlines Group, and was told by a spokesperson: “As this is a criminal investigation, we are unable to comment on speculation.”