A British Airways data breach that exposed as least 380,000 card payments was caused by a card-skimming malware that customers were inadvertently exposed to through the airline’s website and mobile app, according to research from security firm RiskIQ.
British Airways announced last week that hackers had breached the company’s system, compromising hundreds of thousands of card payments. The statement, from the airline’s parent company IAG, said the attack on the site and app began on August 21 and was stopped on September 5. The company said passport and travel information were not included in the hack.
A company spokesperson told Gizmodo at the time that a third-party first discovered the concerning activity and alerted British Arlines, prompting a response and investigation. RiskIQ told Gizmodo that when it discovered the breach, it shared its findings with FBI and the UK’s National Crime Agency, which then alerted British Airways.
Tuesday morning, RiskIQ released a report on its investigation into the breach. The analysis, written by threat researcher Yonathan Klijnsma, shows that hackers compromised the company’s website and app with a card-skimming malware in late August. After this breach, customers who bought plane tickets online had their credit card information scanned and sent to a fraudulent site operated by a server in Romania. This data included email addresses, names, billing addresses, and bank card information.
Similarities between this breach and the Ticketmaster breach in June led RiskIQ researchers to believe that British Airways was attacked by the same group—Magecart. Since Magecard formed in 2015, the collective has been accused of installing card-skimming malware on thousands of sites. “Based on recent evidence, Magecart has now set their sights on British Airways, the largest airline in the UK,” the RiskIQ report reads.
British Airways would not provide comment for Gizmodo on RiskIQ’s report, citing the criminal investigation.
“Magecart had direct access to the [British Airways] server,” Klijnsma told Gizmodo. “While they only performed skimming, it could have possibly gone further with the access they had.”