HackrGG – Learn by Hacking

In 2018, attackers breached British Airways and modified their website. They injected a malicious script into the payment page — a classic XSS-based attack. For 15 days, every customer who entered their payment details on the British Airways website had those details silently sent to an attacker-controlled server.

500,000 customers had their names, billing addresses, email addresses, and full payment card details stolen — while the site looked completely normal.

THE ATTACK — STEP BY STEP

Aug 21 Attackers compromise British Airways website and inject a malicious script into the payment page

Aug 21–Sep 5 Script silently copies payment details from every customer and sends them to baways.com (attacker's server)

Sep 5 British Airways discovers the breach and notifies authorities

Oct 2018 UK Information Commissioner's Office begins investigation

Jul 2019 ICO issues £183M fine (later reduced to £20M after COVID appeal)

Magecart — the group behind it

British Airways was one of dozens of victims of a group called Magecart. Their technique: find a way to inject JavaScript into checkout pages, then harvest payment data from every customer who visits. Other victims included Ticketmaster, Newegg, and hundreds of smaller e-commerce sites. The script was small — sometimes just 22 lines — but it ran silently inside a trusted domain.

WHY IT WAS SO EFFECTIVE

Ran on a trusted domain

The script was on britishairways.com itself — not a fake site. Customers had no reason to distrust it.

Invisible to the victim

No popup, no warning, no visible change. The payment form looked and worked completely normally.

Bypassed HTTPS

HTTPS encrypts data in transit. The script ran before data was sent — it stole it at the source, before encryption.

15 days undetected

Nobody noticed for over two weeks. No monitoring caught the outbound requests to the attacker's server.

How British Airways Lost £20 Million to 22 Lines of Code

Magecart — the group behind it