Cyber experts have suggested possible methods used by hackers to break into the website of British Airways and steal data of its customers. While the airlines has not revealed any detailed information about the technical aspects of the breach, it has confirmed that personal details of its customers including names, email addresses and credit card information like expiry dates and CVV specifics have been stolen. According to statement issued by BA, the attack was carried out between 21st August and 5th Sept so customers’ details that transacted with the airlines website using their credit card during this period could be at risk.
Hackers stole details of customers at “point of entry” by managing to put a script unto the booking section of the website. This malicious script extracted personal details of customers making flight bookings using their credit cards and sent it to someone else. According to Surrey University’s cyber security expert, Prof Alan Woodard, this breach is a common problem among websites that use third party code making them vulnerable to supply chain style attacks. Popular event ticket management firm Ticketmaster was subjected to a similar attack as BA earlier this year when data breach affected around 40,000 users in United Kingdom.
As the airlines did not give specific details about the breach experts say that the attack could also have been carried out by an employee who could have tampered with the company’s code with malicious intent. According to cyber researcher Robert Pritchard, the manner in which the theft of personal information from credit and debit cards was carried out shows that the details were copied as they were entered by customers or literally “lifted live” as companies are not meant to store CVV numbers. This attack technique shows that security has been comprised at either BA’s booking site or at third party provider’s site.