British Airways has discovered that hackers compromised payment card data and personal details for 185,000 more customers than it had originally thought, after discovering that its systems had been first compromised not in August, but rather in April. It now counts 565,000 data breach victims.
On Sept. 6, the airline first warned that 380,000 customers' payment cards and personal details may have been stolen by hackers from Aug. 21 to Sept. 5. The breach affected customers who had bought or changed their ticket using the airline's website or mobile app.
British Airways says it immediately began working with digital forensic specialists at the U.K.'s National Crime Agency to investigate the intrusion.
On Thursday, in a London Stock Exchange news announcement, the airline's parent company, Madrid-based International Airlines Group, announced that the data breach investigation has concluded and that it found that the hack attack had begun earlier than it originally thought.
"The investigation has shown the hackers may have stolen additional personal data," IAG reports.
More Data Breach Victims
British Airways says it's begun notifying two more groups of breach victims:
- 77,000 payment card holders who were not previously notified, and whose payment card information - including card number, expiry date and CVV - as well as name, billing address and email address may have been compromised.
- 108,000 payment card holders whose same information - except for CVV - may have been compromised.
British Airways says their information was potentially compromised between April 21 and July 28. This involved only customers who were using their airline frequent-flier miles to make reward bookings and who also used a payment card.
While the airline previously warned that between Aug. 21 to Sept. 5, hackers compromised 380,000 customers' personal information and payment card details, it has reduced that count to 244,000 customers. It says that the other 136,000 customers still had their personal details - but no card data - exposed. "Since the announcement on Sept. 6, 2018 British Airways, can confirm that it has had no verified cases of fraud," the company states.
Researchers See Magecart at Work
British Airways has declined to comment on who may have hacked it. But some information security researchers have tied its breach to the work of an umbrella group of cybercrime operators called Magecart.
Magecart specializes in what RiskIQ calls "digital skimmer" software, by which it means malicious code that's designed to scrape payment card data entered by an e-commerce website customer when they pay for a transaction.
"Magecart injects scripts designed to steal sensitive data that consumers enter into online payment forms on e-commerce websites directly or through compromised third-party suppliers used by these sites," Yonathan Klijnsma, a threat researcher at RiskIQ, says in a blog post.
Modernizr is a third-party library that Klijnsma says the airline was hosting on its own servers.
RiskIQ says malicious software inserted into websites by Magecart may have breached as many as 800 other e-commerce sites. It says other Magecart victims have included Ticketmaster, e-commerce site Newegg and the Shopper Approved e-commerce service.
Security researchers also report that Magecart infected Feedify, a website push notification service based in India, and then re-infected the site at least two more times after its administrators attempted to expunge the injected code.
After Breach, Class Action Threat
Meanwhile, the British Airways breach has also sparked the threat of a £500 million ($640 million) class action lawsuit by SPG Law, the U.K. branch of U.S. law giant Sanders Phillips Grossman, on behalf of breach victims', for the "inconvenience, distress and misuse of their private information" caused by the data breach British Airways Faces Class Action Lawsuit Over Data Breach).
The group action - aka class action - is legally possible thanks to the EU's General Data Protection Regulation, which came into full effect on May 25. GDPR gives Europeans new compensation rights if their personal data gets mishandled.
GDPR, article 82 excerpt (Source: gdpr-info.eu)
GDPR states: "Any person who has suffered material or non-material damage as a result of an infringement of this regulation shall have the right to receive compensation from the controller or processor for the damage suffered."