Anatomy of a Breach

Anatomy of a Breach: British Airways — 380,000 Payment Cards Skimmed and a Record £183 Million GDPR Fine Proposed

> series: anatomy_of_a_breach —— part: 117 —— target: british_airways —— cards: 380,000 —— proposed_fine: £183,000,000<span class="cursor-blink">_</span>_

Hedgehog Security 30 September 2018 14 min read
british-airways magecart uk-breach gdpr-fine payment-cards javascript ico series
Breach #117

380,000 payment cards. Skimmed in real-time. £183 million proposed fine.

On 6 September 2018, British Airways disclosed that personal and financial data — including names, addresses, email addresses, and complete payment card details (numbers, expiry dates, and CVV codes) — had been stolen from approximately 380,000 customers who made bookings through the BA website and mobile app between 21 August and 5 September 2018. The attack used a Magecart-style technique: the attackers had injected approximately 22 lines of malicious JavaScript into BA's payment page, capturing every card detail entered by customers and exfiltrating them to a server controlled by the attackers.

The ICO's investigation found that BA could have prevented the breach through readily available security measures. In July 2019, the ICO announced its intention to fine BA £183 million — 1.5% of BA's worldwide annual turnover — the largest GDPR fine ever proposed. The fine was subsequently reduced to £20 million (in the context of the COVID-19 pandemic's impact on the aviation industry), but the initial £183 million figure sent a seismic signal across UK business: GDPR enforcement was real, and the ICO intended to use its new powers.

The Magecart Attack
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

22 lines of JavaScript. 380,000 cards.

The BA Magecart attack was surgically precise: approximately 22 lines of malicious JavaScript were injected into the BA payment page, overriding the legitimate form submission process to copy card details — including the CVV — to an attacker-controlled domain (baways.com) before passing the data to BA's legitimate payment processor. The attack operated on both the website and the mobile app (which used the same payment page code), and the malicious domain name was specifically chosen to appear legitimate at first glance.

22 Lines of Code = 380,000 Cards
The entire attack payload was approximately 22 lines of JavaScript — a tiny modification to a massive codebase. Detecting such a change requires integrity monitoring of payment page scripts, Content Security Policy enforcement, and regular code review. Our <a href="/penetration-testing/web-application">web application testing</a> includes payment page security assessment and script integrity verification.
CVV Captured — Not Stored by BA
BA did not store CVV codes (in compliance with PCI DSS). But the Magecart script captured CVVs in the browser as customers typed them — before the data reached BA's servers. This bypass of server-side controls demonstrated that browser-side security is as important as server-side security. <a href="/penetration-testing/pci-dss">PCI DSS testing</a> must now include client-side script security.
£183 Million → £20 Million
The ICO's initial £183 million fine (1.5% of turnover) was reduced to £20 million — partly due to COVID-19's impact on aviation, BA's cooperation, and improvements made post-breach. Even at £20 million, it remained one of the largest GDPR fines imposed by any regulator. <a href="/cyber-essentials">Cyber Essentials</a> demonstrates the 'appropriate measures' that the ICO expects to see.
ICO: 'Could Have Been Prevented'
The ICO found that the breach could have been prevented with readily available measures — including Content Security Policy headers, Subresource Integrity checks, and better access controls on payment page code. Every one of these measures is assessed in our <a href="/penetration-testing/web-application">web application penetration testing</a>.
The UK's GDPR Moment

British Airways made GDPR enforcement real.

The BA fine was the moment GDPR enforcement became tangible for UK businesses. A household-name airline, a payment card breach affecting hundreds of thousands of UK customers, and a proposed fine of £183 million — the largest ever under any data protection regime worldwide. For every UK board of directors, the BA case answered the question 'Will the ICO actually impose large GDPR fines?' with an unequivocal yes.

For UK organisations handling payment data, the BA breach established clear expectations: payment page security must include client-side controls (CSP, SRI, script monitoring), not just server-side measures. Web application testing must cover both. PCI DSS testing must assess Magecart defences. Cyber Essentials certification demonstrates the baseline the ICO expects. SOC in a Box monitors for script injection in real-time. And UK Cyber Defence provides the incident response capability that limits breach scope and demonstrates cooperation to the ICO.

GDPR Enforcement Is Real

£183 million proposed. £20 million imposed. British Airways made GDPR enforcement real. Are you ready?

Our <a href="/penetration-testing/web-application">web application testing</a> assesses Magecart defences. <a href="/cyber-essentials">Cyber Essentials</a> demonstrates appropriate measures. <a href="https://www.socinabox.co.uk">SOC in a Box</a> detects script injection.

Commission a Web App Test Next: Facebook Access Tokens
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 30 June 2018

Anatomy of a Breach: Ticketmaster UK and Dixons Carphone — The UK's Summer of Breaches Under GDPR

Breach #114. June 2018 brought two major UK breaches just weeks after GDPR enforcement began. Ticketmaster UK disclosed that a Magecart skimmer embedded in a third-party customer support chatbot had compromised the payment cards of up to 40,000 UK customers. Days later, Dixons Carphone revealed a breach affecting approximately 10 million customer records and 5.9 million payment cards. Both breaches tested the new GDPR framework and demonstrated that UK organisations were not ready for the post-GDPR enforcement landscape.

ticketmaster dixons-carphone
13 min read
Anatomy of a Breach 31 December 2018

Anatomy of a Breach: 2018 Year in Review — The Year GDPR Arrived and the Fines Got Real

Breach #120 and the 2018 finale. The year GDPR came into force and the ICO immediately signalled its intent — proposing £183 million against British Airways and £99 million against Marriott. Cambridge Analytica proved data could be weaponised for political manipulation. Spectre and Meltdown proved even the silicon was vulnerable. Olympic Destroyer showed nation-states will sabotage sporting events with false flags. Atlanta proved cities are ransomware targets. Magecart swept through e-commerce. And 500 million Marriott guests discovered their data had been exposed for four years. The year enforcement matched the threat.

data-breach year-in-review
14 min read
Anatomy of a Breach 30 November 2012

Anatomy of a Breach: UK ICO Enforcement 2012 — The Fines Keep Coming

Breach #047. By the end of 2012, the ICO had issued over £4 million in monetary penalties since gaining the power to fine in 2010 — with the NHS, local councils, and police forces accounting for the majority. The pattern was relentless: unencrypted devices, insecure disposal, misdirected communications, and absent monitoring. This article examines the cumulative enforcement picture and what it reveals about the state of UK data protection.

ico enforcement
12 min read
All Posts Get in Touch