The British Airways breach, in which up to 380,000 website and mobile users’ payment card details were stolen, could have been prevented, according to researchers from the threat detection firm RiskIQ, who have shed new light on how the attackers pulled off the heist.
It took hackers just 22 lines of code to get a hold of the data. The hackers modified code used to detect certain user actions like clicks and taps on the airline’s website to steal the data between August 21 and September 5. The modified code – where just 22 lines were changed – sent the information to the hackers’ servers as soon as someone hit the ‘Submit’ button on the payments form. The script was able to capture British Airline’s customers’ names, addresses, phone numbers and details through its site and mobile app.
British Airways has told all affected customers that it will cover any direct financial losses they suffer as a result of the breach, which includes compensation for victims for the “inconvenience, distress and misuse of their private information” caused by the breach
This hack highlights the trouble with lax security practices among companies handling vast amounts of user data. BA’s IT team should have spotted the change to its code on its production server, as it’s a crucial user-facing part of its systems.
According to experts who investigated the hack, the takeaway from this hack is the prevalence of tiny website vulnerabilities that can quickly turn into huge exposures. Know your web-facing assets and expose only what you need to, otherwise the consequence can be really, really bad.
ACE IT Solutions works with SiteLock to help our clients secure their websites from hackers. SiteLock, the Global Leader in business website security solutions, is the only web security solution to offer complete, cloud-based website protection. Its 360-degree monitoring finds and fixes threats, prevents future attacks, accelerates website performance and meets PCI compliance standards for businesses of all sizes. Contact ACE IT Solutions at 646.558.6358 to sign up for website protection.