Researchers implicate online card-skimming group in British Airways hack

The same group may have been behind the ticketmaster breach in the UK.
British Airways, cybersecurity
A British Airways 747 at London Heathrow. (Daniel Mennerich / Flickr)

The recent hack of the British Airways website and mobile app, which affected some 380,000 card payments, was carried out by a criminal group known for collecting online payment data en masse, according to new research.

After the airline said last week that the theft occurred between Aug. 21 and Sept. 5, threat intelligence company RiskIQ reviewed breach-related data and pinned the hack on Magecart. The group is fond of online “card skimming” – or using malicious scripts to siphon off insecure payment data. Magecart allegedly breached the British website of Ticketmaster, the global entertainment ticketing service, a hack disclosed in June.

Whereas the Ticketmaster UK breach was through a third-party, Magecart customized this attack to the British Airways website’s “unique structure and functionality,” according to RiskIQ.

The British Airways hack “is a highly targeted approach compared to what we’ve seen in the past with the Magecart skimmer,” said Yonathan Klijnsma, RiskIQ’s head researcher. “This skimmer is attuned to how British Airways’ payment page is set up, which tells us that the attackers carefully considered how to target this site in particular.”


The British Airways breach is an example of how Magecart is targeting “specific brands, crafting their attacks to match the functionality of specific sites,” Klijnsma wrote in an analysis of the hack.

Magecart members may have breached the airline’s website days before the skimming started. A certificate used by the attackers’ server was issued Aug. 15, according to RiskIQ – nearly a week before the attack reportedly began. “Without visibility into its internet-facing web assets, British Airways were not able to detect this compromise before it was too late,” Klijnsma wrote.

Asked for comment on RiskIQ’s findings, a British Airways spokesperson said, “As this is a criminal investigation, we are unable to comment on speculation.”

On its website, the airline noted that the data stolen in the breach did not include passport or travel details. British Airways also warned customers to be on the lookout for phishing from scammers posing as airline representatives.

Magecart is a flurry of activity, according to RiskIQ. “Seeing instances of Magecart is so common for us that we get at least hourly alerts for websites getting compromised with their skimmer-code,” Klijnsma wrote.


UPDATE, 1:58 pm EDT: This story has been updated with a statement from a British Airways spokesperson.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts