The British Airways breach that ran between August and September 2018 caused a small stir in the media but was in fact distinctly different from many of the breaches we hear about.
Firstly, most data breaches are a “heist” – criminals break in to a system, identify files, databases and intellectual property of value (whether that be monetary, political, etc.) and begin exfiltrating it from a the network. Now just because they are a heist doesn’t mean this process is necessarily quick, just navigating networks, escalating their privileges and manipulating users can take months but nonetheless the aim is the same.
In the case of the British Airways website breach, the hackers didn’t compromise BA’s internal systems, anymore than most cash-point cons do. They instead did the equivalent of installing a ‘card skimmer’ on an ATM (cash point), this is a convincing ‘stick on’ plastic cover that goes over the card slot, reading the card as you pass it in to the legitimate ATM. In the case of the BA website, that managed to introduce JavaScript code that loaded on CUSTOMERS computers (in their browser) and grabbed credit card information as it was entered, sending it to a server controlled by the criminal.
How did it happen?
A website is comprised of multiple parts. The obvious ones we all know about such as text, images and video. Behind the scenes web pages are coded in ‘HTML’ which is the glue which hold it all together but in addition to this we have CSS for formatting and JavaScript which provides extra functionality (popups, form checking, animation, etc).
The important thing to note is that most of a website owners content sits on their own server (or a server they lease) but in some cases, its simply more convenient to have your website pull some resources (such as Javascript code) from elsewhere. In fact few years back it was very popular in the web development world because it boosted website load times due to bottlenecks in browsers.
Now as you can imagine, having components of your website scattered across multiple locations isn’t the best for security and so the PCI DSS (Payment Cards Industry Data Security Standard) specifically states that pages that collect card information should do this.
You can probably guess where this is going. The payment page on the British Airways website used JavaScript that was pulled in from a third party server not managed by BA. Rather than target BA’s systems, Hackers simply target the third-party server storing this JavaScript and introduced their own malicious code to it. When BA customers went to the payment page, their browser dutifully loaded the JavaScript from said third party and executed it.