How an inexpensive iFrame could have saved British Airways from a potential £500 million fine

Data breach casts unflattering light on British Airways’ data security protocols

by Jason Perhar, PCI Booking Global Business Strategy Head

British Airways’ recent announcement of a data breach that affected 380,000 of their customers highlighted the pitfalls and dangers of not adequately protecting customer data in a PCI compliant manner. 

The breach, which took place unnoticed over a 16 day period from August 21st to September 5th 2018, captured both personal information and full payment details (including CVV code). Security firms investigating the cyber-attack have pinpointed Magecard, a group that specializes in identifying and attacking websites that do not have a sufficiently secure payment infrastructure, as those responsible. 

Early indications from those knowledgeable with the breach and previous attacks by Magecard, propose that the attack was based around a script, only 22 lines in total, that was injected into a poorly secured baggage claim information page not modified since 2012. The script then transmitted any information entered on the payment page to a server controlled by Magecard.

What is an IFrame?

An IFrame (Inline Frame) is a HTML document embedded inside another HTML document (such as a webpage) on a website. PCI Booking’s IFrame is used to insert the secure payment capture form on the customers website. Fully customizable, the IFrame can be tailored to suit the web pages branding.

IFrames allow card data to be entered, tokenized and stored on secure PCI Booking servers in accordance to PCI guidelines.

The ramifications for BA’s image and customer goodwill is hard to quantify – and will, most likely, take years to recover. Financially, however, the impacts have already been seen. Stock prices at parent company IGN have dropped over 2% since the announcement, and BA have pledged to compensate customers for any financial losses they experience. These costs could pale in comparison to the potential fine of £500 million if the airline is found to have been negligent in the manner which they captured and stored payment information. 

This could well be the case as interviews published in a recent Sunday Times article with security professionals familiar with BA’s infrastructure reported that they had failed to achieve PCI compliance in December 2017.

When observing the manner and outcome of the breach, it becomes apparent that straightforward PCI compliance measures would have averted this crisis. Had BA incorporated a secure iFrame (a fully brandable payment portal that captures payment details in a PCI compliant manner) into their payment pages, such as PCI Booking’s iFrame, no payment information could or would have been intercepted by the malicious script. 

At worse (although still unlikely), the only information that could be intercepted, if a PCI compliant iFrame was in place, would be the already encrypted card token which, in itself, is useless to any attacker. PCI Booking’s structure of removing all card data from a companies infrastructure, ensures that, even in the worst case scenario of a breach on companies site, there is simply no payment information available for theft and misuse. 

All this emphasises the dangers of not securing your infrastructure in a PCI compliant manner or attempting to do so yourself, when this is not your core business. The consequences, as seen in this incident, can be extremely negative and extremely expensive.