Magecart and British Airways

In September 2018, British Airways disclosed that the payment-card data of approximately 380,000 customers had been compromised. Card numbers, CVV codes, expiry dates, names, and addresses — everything a payment processor needs to authorize a transaction — had been quietly exfiltrated from the airline's online booking flow over a fifteen-day period.

A script inside a script

The intrusion did not require breaching British Airways' own servers. RiskIQ researchers reconstructed the chain: attackers modified a JavaScript file hosted on a server inside British Airways' content estate, adding twenty-two lines of code that listened for payment-form submissions and sent the captured data to a domain (baways.com) registered shortly before the campaign began. The script was loaded as a normal part of the checkout page, indistinguishable from legitimate analytics or tracking code.

The technique — modifying a script inside a payment page's chain of trust, often through a compromised third-party library or a vulnerable content management system — had by then been industrialized by a loose collection of attacker groups researchers collectively labeled Magecart. Newegg, Ticketmaster, and dozens of smaller e-commerce sites had been hit in similar fashion.

A landmark GDPR moment

The UK Information Commissioner's Office initially announced an intent to fine British Airways £183 million under the new General Data Protection Regulation — the largest such penalty at the time. After negotiation, the final fine was reduced to £20 million, citing the airline's improvements and the broader effects of the pandemic on the business.

What the chronicle remembers

British Airways turned web-skimming into a board-level concern. Every third-party JavaScript on a payment page, the case demonstrated, is an implicit trust relationship — and the supply chain of front-end dependencies on a modern e-commerce site is long.