The British Airways Magecart breach of 2018 is one of the most technically documented payment card skimming attacks on record and led to a landmark GDPR enforcement action. The active skimming window ran from August 21 to September 5, 2018 — fifteen days during which customers making bookings on ba.com and the BA mobile app had their payment details silently intercepted and exfiltrated.

Attackers first obtained access to British Airways’ internal network using compromised credentials belonging to a third-party supplier, then moved laterally through a Citrix remote desktop environment to reach web-facing infrastructure. The ICO’s subsequent investigation additionally found that British Airways had been logging payment card data for certain transactions in plaintext since 2015, and had not implemented multi-factor authentication on its Citrix remote access system — deficiencies that substantially enabled the attack.

The skimmer injection was precise. RiskIQ researchers identified that a modified version of the widely-used Modernizr JavaScript library (v2.6.2), loaded from the BA baggage claim information page, had been tampered with — 22 new lines of skimming code appended to the bottom of the legitimate script, preserving the script’s normal functionality while silently activating during payment form submission. The code used a touchend event callback, ensuring the skimmer captured data on both desktop browsers and mobile devices. Captured data — cardholder name, billing address, card number, expiry date, and CVV — was transmitted to a server at IP address 89.47.162.248 in Romania, operated through a Lithuanian VPS provider named Time4VPS. Attackers registered a convincing lookalike domain and obtained a Comodo SSL certificate for it on August 15, 2018, six days before the skimmer activated.

RiskIQ and other security firms attributed the attack to Magecart Group 6, the same threat actor responsible for the concurrent Ticketmaster breach. The infrastructure overlap and skimmer code similarities were strong indicators of common authorship.

British Airways disclosed the breach on September 6, 2018, initially reporting approximately 380,000 affected customers. The ICO’s investigation concluded that up to 429,612 individuals were in a position to have data accessed: 244,000 customers had name, address, card number, and CVV exposed; 77,000 had CVV and card number only exposed; 108,000 had card number only exposed.

The UK Information Commissioner’s Office announced in July 2019 an intention to impose a fine of £183.39 million — at the time the largest proposed GDPR penalty globally. After considering mitigating actions taken by British Airways and the airline’s financial difficulties during the COVID-19 pandemic, the ICO issued a final fine of £20 million on October 16, 2020.