British Airways data breach caused by just 22 lines of malicious JavaScript code

The British Airways hack that saw over 380,000 customers’ details stolen appears to have been caused by just 22 lines of malicious JavaScript.

British Airways data breach caused by just 22 lines of malicious JavaScript code

The revelation comes from cybersecurity firm RiskIQ who claims to have found the code responsible for causing the breach. The information stolen from BA included personal and payment information from the BA website and mobile app. The problem could have been even larger, but thankfully it only affected customers who had used the site and app over a two-week period in late August.

It’s believed that the malicious JavaScript was written and inserted by a fraudulent group known as Magecart. The group had previously been involved in the Ticketmaster breach and had used similar means to accomplish it.

READ NEXT: Your phone lock screen pass can be stolen via its speakers

“Magecart injects scripts designed to steal sensitive data that consumers enter into online payment forms on e-commerce websites directly or through compromised third-party suppliers used by these sites,” said Yonathan Klijnsma, a threat researcher at RiskIQ.

“Recently, Magecart operatives placed one of these digital skimmers on Ticketmaster websites through the compromise of a third-party functionality resulting in a high-profile breach of Ticketmaster customer data. Based on recent evidence, Magecart has now set their sights on British Airways, the largest airline in the UK.”

A technique called skimming was used in both breaches. Traditionally used by criminals for obtaining credit card details, skimmers usually take the form of devices hidden within credit card readers on ATMs, fuel pumps, and other day-to-day card payment machines. These skimmers then steal and store payment data so a criminal can use or sell to a third party.

READ NEXT: A North Korean hacker is to blame for WannaCry attack

However, for the BA breach, Magecart customised a skimmer and embedded it into the airline’s website which runs on JavaScript. RiskIQ posted a picture of a cleaned up version of the script that it said as very “simple but effective”.


According to RiskIQ, “mouseup” and “touchend”, are events for when someone lets go of the mouse after clicking on a button, or when someone using a touchscreen device lets go of the screen after tapping a button. Basically, this means that once a user hits the button to submit their payment on BA’s compromised site, the information from the payment form is extracted and sent to the attacker’s server.

This particular type of skimmer is very much attuned to how BA’s payment page is set up, according to RiskIQ, which suggests the hackers had carefully considered how to target the airline instead of blindly injecting a regular Magecart skimmer.

With Ticketmaster and BA under their belt, there’s a good chance that another big site could come under fire next.

Disclaimer: Some pages on this site may include an affiliate link. This does not effect our editorial in any way.

Todays Highlights
How to See Google Search History
how to download photos from google photos