British Airways have, for the second time this year, reported another substantial data breach in which 244,000 credit cards were compromised.
Its important to note that there is nothing inherently insecure in using either Modernizr or jQuery. What the injected script did was add to the version used on the British Airways website, a variation that would read the data from the credit card form during payments, and send a duplicate of this data to "baways.com", a website (we are advised) that is owned by the attackers, in addition to sending the data correctly to the British Airways backend. The culprit was able to complete this attack by modifying production source code on the British Airways website.
External monitoring systems are a good way to detect changes to public-facing source code. If configured correctly and reviewed frequently these tools verify any reported changes against intentional changes. Most products allow the verification process to be automated. It is however critical that someone is checking the reports!
Does your business handle customer information like credit card details?
Could your business handle the costs associated with a substantial breach of customer information and a PCI DSS investigation?