British Airways faces a fine of approximately $229m (£183m) because they have been hacked by a group named Magecart.
The detailed account of what happened is explained in this excellent blog post by RiskIQ. To sum it up, the hackers modified a javascript file hosted by British Airways, which was called in the payment page. We still don’t know how the hackers were able to modify this file.
The URL of this Javascript was: https://www.britishairways.com/cms/global/scripts/lib/modernizr-2.6.2.min.js.
This modified version of the filed contained 22 lines of malicious Javascript that sent customers Data to a remote domain controlled by the Hacker. The data included: names, email, credit card numbers, expiry dates, CVV code …
This heist of personal data started on August 21, 2018, and finished on September 5, 2018. So 15 days, and approximately 500,000 customers impacted. Since it happened after May 2018, the GDPR fine can be up to 4% of the annual global turnover.
So what cloud British Airways have done to prevent the hack or minimize its impact?
- Some will say British Airways could have implemented subresource integrity.
- According to Mozilla: Subresource Integrity (SRI) is a security feature that enables browsers to verify that resources they fetch (for example, from a CDN) are delivered without unexpected manipulation. It works by allowing you to provide a cryptographic hash that a fetched resource must match.
I believe that SRI would have been useless in this case. Indeed, both the JS file and the main British Airways website shared the same domain. If the hacker has full control of the British Airways website, he could simply modify generate a hack of his malicious JS file and include it. SRI could have reduced the numbers of stolen data if the hacker had somehow found a way to modify the JS file, but not the page that called the JS file, but that’s improbable. Moreover, approximately 8,5% of browsers don’t support SRI.
When you read the RiskIQ blog post, you understand that British Airways was highly targeted. I believe that such a hack was inevitable and British Airways could at least have detected it sooner, way sooner than 15 days. If they would have detected the hack during the first hour and corrected it, only approximately 1300 users would have been affected instead of 500,000. The GDPR fine could have been only a fraction of the current one: 600 000 dollars if it’s proportional to the number of users.
So what was the solution to detect it sooner?
The answer is a simple script running regularly to monitors every few minutes any changes made to the Javascript file, that sends a notification with the changes made. A human than analyses the changes…
You could build this on your own, or use a service that offers it like our own : https://www.guardscript.com
The javascript script file of British Airways compromised was not changed for 6 years before it was hacked, any modification should have raised flags.
