The British Airways Breach: 22 Lines of Code Stole the Data of 380,000 People

September 25, 2018 - 7 minutes read

Whether you’re a mobile app developer or user, cybersecurity is serious business. Hackers are becoming more cunning and conniving with each day that passes.

The data of approximately 380,000 British Airways customers could have been jeopardized recently. And it only took 22 lines of code to do it.

Telltale Signs of a Common Culprit

On September 6th, British Airways announced that the personal and payment information of almost 400,000 individuals could have been stolen in a security breach. If you were purchasing flight tickets through the London-based airline’s main website or mobile app between August 21st and September 5th, you may be a victim.

The main suspect behind the attack is Magecart, a criminal group infamous for stealing customer data with digital card skimmers. Essentially, these hackers like to inject malicious code into scripts to steal consumers’ sensitive data from online payment forms like the ones you usually find on e-commerce sites. Recently, the group was also suspected to be behind a similar attack that happened to Ticketmaster UK.

How Magecart Hacked British Airways

Modern websites heavily rely on JavaScript for functionality. When you load the main British Airways site, 20 to 30 scripts are utilized, many of them containing thousands of lines of JavaScript. Magecart compromised a JavaScript library known as Modernizr by adding its 22 lines of code to the bottom end so that no functionality was broken and the change would go unnoticed.

While it’s only 22 lines of code, it is simple and elegant in functionality. Once a user entered in their payment information and hit the button to submit it, all of this data would be sent back to Magecart’s server hosted on If you’d like to see the script, click here for a great detailed guide of the attack that RiskIQ, a San Francisco-based cybersecurity company, put together.

How the Mobile App Was Affected

The British Airways mobile app is considered a hybrid application. Basically, this means that it loads its content from elsewhere. A substantial portion of the building bricks of British Airways’ mobile app came from the airline’s website.

RiskIQ found the app to be an identical match in terms of design and functionality. So when you opened the app during the time of the breach, it loaded the same compromised Modernizr library that was found on the site.

5 Ways to Make Your App More Secure

We got the chance to ask Rob Pope, our CTO and local cybersecurity guru, about the attack. Rob mentioned that if you want to build a truly secure environment, you should focus on building a native app as opposed to a hybrid one. This isolates the code and closes it to the possible problems that website counterparts may have.

Rob also gave some great general tips to strengthen the security of your mobile app:

1. Review Locally Stored Data

Both iOS and Android allow for easy storage of text-based data with low programming overhead. This is usually used to store data such as an app’s settings. These storage areas are easy to manipulate on jailbroken devices; often, developers use them to check whether an app’s paid features are unlocked illegally.

Reviewing the data that gets stored in here can significantly increase the difficulty someone encounters to manipulate your app’s features.

2. Review Local Database Data

iOS and Android can both store information in local app databases. Similar to above, these can be accessed and manipulated on jailbroken devices. Reviewing what information is locally stored in the database and whether any encryption is used can greatly increase the security posture of your app.

3. Transport Encryption

All API connections should utilize a TLS-based HTTPS connection as a standard. SSL pinning is an added layer of security which can slow down an attacker. basically, this pins a certificate on the server to the device, making it much more difficult to get a proxy in place that can sniff out network connections.

While this can be overcome, this extra layer of defense does a great job of impeding a potential attack.

4. Data Encryption

The native features of many devices now include full data encryption when security is enabled on the device. However, developers should still be aware of how they’re handling sensitive data in the app. Encrypting small amounts of data like authentication tokens can be done through native keychain features. But data outside of this in the database or memory needs a custom implementation.

Rob recommends to avoid writing your own encryption and to leverage existing frameworks that have been tried and tested.

5. Backend Security Testing

The greatest risk by far comes from web application issues associated with your backend API. Classic SQL/XML injection attacks are still quite common. So make sure to regularly test for these when you routinely assess your application.

Stay Safe Out There

It’s been highly recommended for British Airways customers to get a new card from their bank.

Magecart has been refining their strategies since its start in 2015 and has begun attacking specific brands like British Airways and Ticketmaster by matching the functionality of their sites and injecting malicious code in subtle ways. It’s highly likely that this isn’t the last we’ll see of this group.

Tags: , , , , , , , , , , , , , , , , , , , ,