back to article British Airways: If you're feeling left out of our 380,000 passenger hack, then you may be one of another 185,000 victims

British Airways' horror hack is worse than first thought: the world's favorite airline has added 185,000 cardholders to the pile of 380,000 potentially caught up in the IT security breach. In September, it emerged that hackers spent two weeks slurping the personal and payment card data of people who booked travel via BA's …

  1. Anonymous Coward
    Anonymous Coward

    Close call?

    If I was BA I would be looking at their own site admins. A lot of the time in these cyber attacks the attacks themselves are internal, through the use of mac changers, IP changing and other methods a hacker can be right at home on site but register online as from another country. Just a suggestion.

  2. David Harper 1

    Re: Close call?

    It was malicious code in a third-party JavaScript library. The most likely explanation is careless web developers at BA's outsourced IT division who used the third-party libraries in the first place. Never attribute to malice what can be adequately explained by incompetence.

  3. cotsweb

    Re: Close call?

    The malicious code wasn't generic, it was specifically crafted to work with the BA website then added to BA's copy of a third party library.

    I still haven't seen any report about how the code got into their codebase, that bit at least looks like malice. Including the malicious code on the payments page may just be incompetence.

  4. Anonymous Coward
    Anonymous Coward

    Re: careless web developers at BA's outsourced IT division

    Cut costs, offshore all the IT work and expose yourself to eye watering legal challenges.

  5. steviebuk Silver badge

    Re: Close call?

    I believe it was a code extract (I can't think of the term) that several sites used but was actually hosted elsewhere. So in the BA code, they just linked to this other library but didn't actually bother to check that code. And that external code was compromised.

    Outsourcing can be blamed in a small way for this. Because the external devs will have a time frame they have to stick to. So grabbing code from wherever they can is easy and quick. An internal dev may have done the same but also may have taken the time to check what the external code was doing first.

  6. Anonymous Coward
    Anonymous Coward

    Re: Close call?

    "The most likely explanation is careless web developers"

    AKA devops and docker hub

  7. low_resolution_foxxes

    Re: Close call?

    Cause and effect perchance? 2016 they outsourced 1000 IT jobs to India, either it wasn't protected well enough or the former IT support team backdoored their way in.

  8. Dan 55 Silver badge

    Re: Close call?

    Why the former team? It could easily be the present team...

  9. Griffo

    Poor Handling

    One of my co-workers had their data slurped via this attack. He had to cancel his card obviously, but luckily BA sent him a nice email with a free offer to a 12 month subscription for a credit monitoring that would look for attempts to leverage the information that was stolen.

    Only issue was.. the offer was only valid for UK residents. So basically, if you used BA, got hacked, and were not a UK resident, then they effectively said "screw you".

  10. Richard 12 Silver badge

    Re: Poor Handling

    Not necessarily.

    A credit card is registered in a particular country, so perhaps they're using that to choose which credit monitoring service to offer.

    Possibly.

  11. Anonymous Coward
    Anonymous Coward

    Incompetent all round

    information-siphoning code inserted into third-party JavaScript libraries used by BA's website

    I knew their website was crappily coded, not working properly on some browsers, but to use 3P JS code on a website that collects payment details is verging on criminal negligence.

    “British Airways can confirm that it has had no verified cases of fraud.”

    Really? So why did AmEx contact me to tell me they were replacing my Corporate card after detecting fradulent transactions. That card hadn't been used for much, recently. Just some BA travel in June...

  12. Def Silver badge

    Re: Incompetent all round

    Using third party source code that hasn't been fully vetted and verified in any application should be considered criminal negligence. If you don't know exactly what all of your code is doing, you shouldn't be allowed near a keyboard. This goes double for open source software. And you should never reference libraries served from a server out of your control.

    Using third party libraries that ship in binary form should never be used in publicly released software without a bulletproof contract in place to protect you from a legal standpoint.

    The buck has to stop somewhere. Make sure it isn't with you.

  13. Pascal Monett Silver badge

    Hopefully, since 3rd-party JS libraries are visibly becoming a valid attack vector, companies are going to have to take their thumbs out and remove that vector from their attack surface.

    So I hope more of this is going to happen, so that companies are pressured to put an end to the possibility once and for all.

  14. John Robson Silver badge

    Re: Incompetent all round

    "Using third party libraries that ship in binary form should never be used "

    So never use Windows in a production environment, and make sure you employ all the Linux kernel developers?

    At some point you have to trust third parties...

  15. Pascal Monett Silver badge

    Ah, so Windows uses 3rd party JavaScript libraries it downloads from the Internet ?

    Another reason to not go to Windows 1 0.

    Don't confuse the argument. We're not talking about OS here, we're talking about the sickness that is developers hooking into any old Git repository and thinking that everything is peachy.

    It's not, and this is the proof.

  16. Def Silver badge

    Re: Incompetent all round

    At some point you have to trust third parties...

    Why?

  17. Down not across

    Re: Incompetent all round

    I knew their website was crappily coded, not working properly on some browsers, but to use 3P JS code on a website that collects payment details is verging on criminal negligence.

    Fixed that for you.

    Page collecting payment information should have no need for any script. Just collect the information on the form and submit the information.

    As an added bonus it might work better too.

  18. Anonymous Coward
    Anonymous Coward

    Re: Incompetent all round

    At some point you have to trust third parties...

    Not without a signed contract.

  19. Danny 14 Silver badge

    Re: Incompetent all round

    you do trust third parties. you buy their product and install it on your own webserver. That way it doesnt bugger off outside your web farm perimeter.

  20. tiggity Silver badge

    surprise?

    "British Airways' horror hack is worse than first though"

    .. No, it's worse than they originally admitted - in cases where hack went unnoticed for ages you have to assume the worst, not hope for the best, BA should have taken the glass half empty approach

  21. 0laf Silver badge
    Flame

    Having tried to book flights with BA earlier in the year I can only guess that those customers who didn't have all their details sniffed got halfway so the process and were so frustrated byt the fucking appalling website that they gave up like I did.

    In fairness however I found practially every airline's website to be a fucking nightmare designed to extract accidental extra payments before bombing out with some random java error or just failing to respond at some critical point.

  22. Anonymous Coward
    Anonymous Coward

    No confirmed fraud?

    Last week our company credit card suddenly had two transactions, one for £2k and another for £300, appear fraudulently. Looking back over the usage logs (every purchase is recorded), the only known hacked site it had been used on was BA on Sept 4th - one day before the hack was fixed.

    So yeah, BA, pretty sure that counts as confirmed fraud.

    (Anonymous cos, y'know)

  23. Anonymous Coward
    Anonymous Coward

    Re: No confirmed fraud?

    >Last week our company credit card suddenly had two transactions, one for £2k and another for £300, appear fraudulently.

    If you provide your bank account details and sort code we will refund the monies and £100 compensation because of our error.

    Oh for a Phonejacker icon, come on Reg these icons need a refresh.

  24. Definitely Not Me

    Not third party code

    This wasn't due to any third party code. The original breach involved somebody changing BA's own JS code to insert additional functions.

    This latest one may be different, but there aren't any details as yet. What is somewhat odd is that this one predated the other one, and based on the published dates ended much earlier. So did somebody spot this at the time and remove the offending code? Only for it to re-appear elsewhere on their site later. Or did the person who added it realise there was a better place for it, so removed it themselves?

  25. Version 1.0 Silver badge
    Meh

    Re: Not third party code

    Perhaps the first one was just a test, then the code was updated and it's considered a separate breach now? I'd be surprised if the hackers behind this code are not working on a better version and planning a new hack somewhere else.

  26. Anonymous Coward
    Anonymous Coward

    Re: Not third party code

    This wasn't due to any third party code. The original breach involved somebody changing BA's own JS code to insert additional functions.

    Read the report: "BA's payment page still loads content from seven external domains."

  27. Alister Silver badge

    Re: Not third party code

    This wasn't due to any third party code. The original breach involved somebody changing BA's own JS code to insert additional functions.

    You are wrong. It was the Modernizr third-party script library that was infected. However, BA chose to host a local copy of it on their own domain.

  28. Anonymous Coward
    Anonymous Coward

    This is why I like virtual cards

    I have an account that creates virtual, one-off cards which are excellent for exactly this purpose. As for "regular" credit cards, the service has the ability to "disable" the mag strip (which basically suggests that the swipe simply has a code that distinguishes it from the chip payment instruction) so cloning it via the swipe is also not going to work.

    The sad thing is that you need it - you simply cannot assume a service has enough security in place :(

  29. Dan 55 Silver badge

    Re: This is why I like virtual cards

    My bank doesn't offer it as presumably it'd be too complicated for the little customers to wrap their heads around so I'm reduced to trusting PayPal when buying online.

    Small online stores' lack of security coupled with banks' inability to ask customers to do anything which might require half a braincell means behemoths like PayPal and Amazon get created.

  30. Anonymous Coward
    Anonymous Coward

    Explains alot

    While not in the original round the new timeline does explain over £3800 of fraudlient transactions on mycard. No message from BA though mentioning I was in the breached details issue.

    looks like the ystill havent got a full handle on it.

  31. Keith Oborn

    Experian---

    Department of Hollow Laughs: British Airways just told me that I am one of the people who’s credit card details got taken in the recent breach. To be fair to BA, they have been pretty proactive in fessing up to this. The email includes a free offer to join Experian ProtectMyId. So I completed that form, and the last item was a requirement to take a credit card to “validate”. Then I thought: “Hang on. Experian. Kind of frying pan to fire here--“. Ho hum.

  32. Muscleguy Silver badge

    Re: Experian---

    These free offers rely on you not setting or paying attention to a reminder to cancel just before payment starts to be extracted. I just cancelled my Free Netflix month early, before my reminder kicks in because I couldn't find anything else I wanted to watch. Just got an email, watch Sabrina the Teenage Witch. I'm 52 . . .

  33. John Brown (no body) Silver badge

    Re: Experian---

    "Then I thought: “Hang on. Experian. Kind of frying pan to fire here--“. Ho hum."

    In a rational world, you'd sort of expect that any company recently a victim of hacking would be one of the safest to do future business with. It's a shame we don't live in that world.

  34. jfield

    BA Amex

    Called Amex (We have a british airways) our card was caught and their response was not to worry and we don't need to replace the card. I mean its only full name ,address, cvv, long card number, would still be hard for a hacker to do anything with

    I told them we "Lost" the card so they would replace it.

  35. s. pam
    FAIL

    Biggest Arseholes

    Deserve to have the beejezus fined out of them and we cancelled our card and trip booked during the August- September hack.

    Why?

    Well Sherlock if the bad guys have your personal details/ address and likely your travel dates then can burglyof your home be far behind!

    That’s why!

  36. Alister Silver badge

    “British Airways can confirm that it has had no verified cases of fraud.”

    This fucking annoys me, there are hundreds if not thousands of people who have reported fraudulent transactions on their cards after having used them on the BA site during the relevant period.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2018