British Airways said that the data breach it first reported in September is larger than previously thought. It has added an additional 185,000 victims to the official tally.
The airline said that hackers may have stolen personal data connected to an additional 77,000 payment cards, including name, billing address, email address and card payment information – including card number, expiry date and CVV. And, it uncovered a further 108,000 cards that were exposed without CVV.
In the plus column, of the 380,000 payment cards originally thought to be compromised, only 244,000 of those were actually affected, upon investigation. The net total for the entire breach now stands at 429,000.
The impacted customers were those using their air miles to book flights on the website between April 21 and July 28 of this year, and who used a payment card.
“While we do not have conclusive evidence that the data was removed from British Airways’ systems, we are taking a prudent approach in notifying potentially affected customers, advising them to contact their bank or card provider as a precaution,” the airline said in a website notice. “Crucially, we do not have any verified cases of fraud.”
The breach is believed to have been carried out by the Magecart group, which specializes in e-commerce attacks. According to RiskIQ researchers last month, there were suspicious scripts on the baggage claim information page of the British Airways’ website – which then collected data from visitors and sent it back to the threat actors’ server.
Yonathan Klijnsma, threat researcher with RiskIQ, told Threatpost at the time that the campaign can be attributed to Magecart with “medium-high confidence.”
“Magecart since 2017 has been running a campaign very similar to what happened to British Airways,” he said. “They’ve been setting up infrastructure to mimic victims or they would simply mimic ad or analytics providers to blend in. The British Airways attack was just an extension of that attack in our eyes.”
The news comes on the heels of Cathay Pacific admitting this week that “unauthorized personnel” accessed the personal data for up to 9.4 million passengers, including their passport numbers, along with a small amount of card information.
“Airline customers by their nature travel a lot, so location-based usage on their credit cards is difficult to predict,” said Matthew Aldridge, senior solutions architect at Webroot. “This gives fraudsters a greater chance of successful transactions being made with the stolen card data. Similarly, travel history could be used to place fraudulent transactions at locations that have actually been visited by the cardholder.”
He also pointed out that personal data also goes hand-in-hand with booking a ticket – also attractive to thieves.
“Airlines keep a lot of sensitive personal data on their customers, which can include things like passport numbers, addresses, phone numbers and email addresses,” he said. “This information can be of great use in future identity theft attacks.”