Scans, Not Scams!

 

British Airways have, for the second time this year, reported another substantial data breach in which 244,000 credit cards were compromised.

 

What makes this latest security breach interesting is that it involved the reconfiguration of British Airways server infrastructure, achieved when 22 lines of malicious JavaScript source code were injected into British Airways' usage of Modernizr and jQuery.

 

Its important to note that there is nothing inherently insecure in using either Modernizr or jQuery. What the injected script did was add to the version used on the British Airways website, a variation that would read the data from the credit card form during payments, and send a duplicate of this data to "baways.com", a website (we are advised) that is owned by the attackers, in addition to sending the data correctly to the British Airways backend. The culprit was able to complete this attack by modifying production source code on the British Airways website.

 

What this case demonstrates is the need to continually 1) scan and 2) monitor.  Security experts recommend that resilience against such an attack is best provided by detecting intrusions to infrastructure.  However, it is widely reported that, in this case, British Airways was unaware of the intrusion(s), thus demonstrating that security protocol cannot be singular.  A multifaceted strategy would complement detection with the ongoing verification that production JavaScript source code is not modified (unless signed off internally).

 

External monitoring systems are a good way to detect changes to public-facing source code. If configured correctly and reviewed frequently these tools verify any reported changes against intentional changes.  Most products allow the verification process to be automated. It is however critical that someone is checking the reports!

 

Does your business handle customer information like credit card details?

Could your business handle the costs associated with a substantial breach of customer information and a PCI DSS investigation?

Share this Content

See how Cyber Insurance can benefit your business directly

Learn more