British Airways Data Breach 2018: How Magecart Stole 500,000 Customer Records
In September 2018, British Airways announced that the personal and financial details of approximately 500,000 customers had been compromised. The cause was elegant in its simplicity: attackers had injected 22 lines of malicious JavaScript into the British Airways website and mobile app. For two weeks, every customer who entered their payment details at checkout had those details skimmed in real time and sent to an attacker-controlled server. The ICO fined British Airways £20 million under GDPR. The attack is now the definitive case study in web application security failure.
The British Airways Magecart attack compromised 500,000 customer records over 15 days using 22 lines of JavaScript — resulting in a £20 million ICO fine.
How the British Airways Attack Happened
The attack was attributed to Magecart Group 6, a sophisticated criminal organisation known for targeting high-value websites. The attackers compromised a third-party JavaScript library used by the British Airways website. They modified it to include 22 additional lines of code that captured form field data — card number, CVV, expiry date, name, address — as customers entered it at checkout, and transmitted it to a server at baways.com (a lookalike domain registered specifically for this attack). The malicious code was indistinguishable from legitimate JavaScript by casual inspection and was not detected by British Airways for 15 days. Detection came not from British Airways's own monitoring but from an external security researcher.
Lessons for Online Retailers from British Airways
The British Airways case established key lessons that apply to every online retailer: third-party scripts are your responsibility — if a script executes on your website, you are liable for its behaviour, regardless of whether you wrote it; Content Security Policy headers would have prevented this attack — CSP restricts which external scripts can execute and where data can be sent; file integrity monitoring on your web assets detects unauthorised script changes; regular security testing of your web application identifies injection vulnerabilities; and you cannot rely on your own monitoring to detect this class of attack — external threat intelligence and bug bounty programmes are important supplements. The ICO's judgement was clear: British Airways had inadequate technical measures to protect customer data, and the size of the fine reflected the scale of the breach and the inadequacy of the controls.
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.