UPDATED: Protect your e-commerce site from Magecart Attacks: learn from the British Airways and NewEgg attacks

British Airways Airplane

It’s all over the news these days – since last September, when the British Airways cyber theft first made the news, this week the fines were announced: a record $328 million fine for British Airways, the highest penalty to date under current data protection rules.  

For businesses that deal with data and security, this is a serious concern, and working out ways to keep their customers’ data safe and prevent these types of attacks. 

Read on for more details on the Magecart cyber attacks, and how DataTrue’s solution provides tools to prevent this kind of attack on organizations. 


E-commerce sites worldwide face a growing risk from the threat group Magecart, who are perpetrating simple but sophisticated attacks on online payment forms. High profile reported victims include Ticketmaster, British Airways and NewEgg, however, there are likely to be many sites compromised without their knowledge.

The British Airways’ hack was a demonstration of just how vulnerable companies, even big household names, can be with names addresses, emails, credit card information and CVV authentication numbers of up to 380,000 customers quietly siphoned off over a two week period in August 2018. While British Airways certainly takes its data privacy very seriously, this shows just how vulnerable our online properties can be without regular processes that monitor our infrastructure and report back weaknesses in our IT defences.

For anyone regularly dealing with online risk, privacy, and data protection, keeping your customer’s data safe is a top priority. With the right tools, British Airways could have recognized and stopped the hack well before it became a severe breach, something that data monitoring and validation tool DataTrue could have done through automated data assurance.

However, first – how did the hackers break past British Airways’ defences?

The data breach began on the 21st of August and was a simple heist which copied data from app and website payment pages and sent sensitive personal data to a third-party site operated by the hackers.

The British Airways attack didn’t require the perpetrators to break through the organization’s network or servers, instead, they found an unsecured part of the web page through the JavaScript libraries used by the British Airways’ website and injected a malicious piece of code into the baggage claim information page.

As a result, any time someone filled out his or her details in the baggage claim form, including names, credits card details, and CVV authentication numbers, this information was sent to the hackers’ website “baways.com” with no one the wiser for two weeks, allowing the hackers to accrue financial information on 380,000 customers. The RiskIQ team provide a more comprehensive analysis here of how the hack was perpetrated.

How DataTrue can detect Magecart attacks

DataTrue automatically tests the data your site is collecting and exposing to third party data processors. DataTrue tests can be automated to run hourly, plus before and after every code or content deployment.

DataTrue PII monitoring and detection module
In the case of British Airways, this would have meant the fictitious persona would have gone to the website, began the transaction, filled out the form and clicked submit. As this happens, the piece of malicious JavaScript would have executed, sent the information through the proxy server, to the fake “baways.com”.

At this point DataTrue would have detected the string patterns that were defined in the persona going through the proxy servers and to the hackers’ website, generating a report on what data and to which website or data processor the sensitive information was exposed to.

DataTrue would have identified the hackers’ website as a non-authorized data processor and alerted British Airways team to the hack. Contact us to find out more about how DataTrue can automatically validate and protect your data.

Related Blogs

Automated data layer testing
The data layer is generally regarded as the best practice for structuring how data is transferred from your website to your tag manager, and ultimately your tags. Adding a data...
Adobe Summit 2019
Visit DataTrue at Adobe Summit for your chance to win
DataTrue is a proud sponsor of Adobe Summit, Las Vegas for the fourth time! We will join thousands of marketing professionals March 24–28 at The Venetian and The Palazzo, Las...
3 Adobe Summit session post image
3 sessions we’re looking forward to at Adobe Summit 2018
As a Showcase sponsor at Adobe Summit 2018 there has been plenty to keep us busy in recent weeks preparing for the Summit. As we have now packed our bags and are...