In 2018, British Airways suffered a **Magecart (e-skimming) attack** where attackers injected malicious JavaScript into its payment checkout page, exploiting a third-party script vulnerability. The breach went undetected for **two weeks**, during which **380,000 customers' payment card details** (including names, addresses, credit card numbers, CVV codes, and expiry dates) were harvested directly from the browser environment. The attack bypassed traditional security measures like WAFs and intrusion detection systems by operating entirely client-side, leveraging encrypted HTTPS traffic to exfiltrate data to attacker-controlled servers. The incident resulted in **regulatory fines (£20M by ICO)**, reputational damage, and a **class-action lawsuit** from affected customers. The breach highlighted critical gaps in monitoring dynamic client-side code and third-party script dependencies, which remained unaddressed despite robust server-side defenses. The financial and operational fallout extended beyond immediate fraud losses, impacting customer trust during peak travel seasons.
Source: https://thehackernews.com/2025/10/why-unmonitored-javascript-is-your.html
TPRM report: https://www.rankiteo.com/company/british-airways
"id": "bri0532305101325",
"linkid": "british-airways",
"type": "Cyber Attack",
"date": "6/2018",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': 'Web Development Tools',
'location': 'Global',
'name': 'Polyfill.io',
'size': '500,000+ websites impacted',
'type': 'Third-Party Service Provider'},
{'industry': 'Technology/Networking',
'location': 'Global',
'name': 'Cisco',
'size': 'Large Enterprise',
'type': 'Corporation'},
{'customers_affected': '380,000',
'industry': 'Travel',
'location': 'United Kingdom',
'name': 'British Airways',
'size': 'Large Enterprise',
'type': 'Airline'},
{'industry': 'Entertainment',
'location': 'Global',
'name': 'Ticketmaster',
'size': 'Large Enterprise',
'type': 'Ticketing Platform'},
{'industry': 'Retail',
'location': 'Kuwait',
'name': 'Shrwaa.com',
'size': 'Small/Medium Business',
'type': 'E-commerce'},
{'industry': 'Retail',
'location': 'Global',
'name': 'Unspecified E-commerce Sites (Grelos skimmer '
'targets)',
'type': 'E-commerce'}],
'attack_vector': ['Compromised Third-Party JavaScript (Polyfill.io, chat '
'widgets, analytics platforms)',
'Shadow Scripts (unauthorized/dynamically loaded scripts)',
'DOM Manipulation (fake payment forms)',
'Session/Cookie Hijacking',
'Encrypted HTTPS Traffic Exfiltration',
'Supply Chain Compromise (vendor scripts)'],
'customer_advisories': ['Monitor payment card statements for unauthorized '
'transactions.',
'Use virtual cards or payment tokens for online '
'holiday shopping.',
'Report suspicious checkout behavior (e.g., '
'unexpected redirects, additional form fields).',
'Check browser extensions for malicious script '
'injection risks.'],
'data_breach': {'data_encryption': 'No (data stolen in plaintext from '
'checkout forms)',
'data_exfiltration': 'Yes (to attacker-controlled servers via '
'encrypted HTTPS)',
'number_of_records_exposed': ['380,000 (British Airways '
'breach)',
'500,000+ websites (Polyfill.io '
'supply chain)',
'Unspecified (Cisco Magecart, '
'Shrwaa.com, Grelos skimmer)'],
'personally_identifiable_information': 'Yes (names, '
'addresses, emails, '
'payment details)',
'sensitivity_of_data': 'High (financial and personal data)',
'type_of_data_compromised': ['Payment card data (card '
'numbers, CVV, expiry dates)',
'Authentication tokens',
'Session cookies',
'PII from checkout forms (names, '
'addresses, emails)']},
'date_publicly_disclosed': '2024-09-01',
'description': 'The 2024 holiday season witnessed a surge in client-side '
'attacks exploiting third-party JavaScript vulnerabilities, '
'including the Polyfill.io supply chain breach (affecting '
'500,000+ websites) and the Cisco Magecart attack targeting '
'holiday shoppers. These incidents highlighted critical '
'visibility gaps in Web Application Firewalls (WAFs) and '
'intrusion detection systems, which fail to monitor malicious '
"JavaScript executing in users' browsers. Attackers leveraged "
'encrypted traffic, dynamic script behavior, and shadow '
'scripts to steal payment data undetected, with attacks '
'increasing by 690% during peak shopping periods. Notable '
'examples included the British Airways (2018) and Ticketmaster '
'(2019) breaches, alongside 2024 incidents like the Kuwaiti '
'e-commerce site Shrwaa.com and the Grelos skimmer variant '
'deploying fake payment forms before Black Friday.',
'impact': {'brand_reputation_impact': 'High (eroded trust in e-commerce '
'security during critical shopping '
'period)',
'conversion_rate_impact': 'Potential drop due to fake payment '
'forms and compromised checkout flows',
'customer_complaints': 'Expected increase due to payment fraud and '
'data theft',
'data_compromised': ['Payment card details (e.g., 380,000 records '
'in British Airways breach)',
'Authentication tokens',
'Session cookies',
'Personally Identifiable Information (PII) '
'from checkout forms'],
'identity_theft_risk': 'High (stolen payment data used for fraud)',
'legal_liabilities': ['Potential PCI DSS non-compliance fines',
'Regulatory penalties for delayed breach '
'disclosure'],
'operational_impact': ['Disrupted holiday shopping operations',
'Development freezes limiting patch '
'deployment',
'Increased SOC workload during peak season'],
'payment_information_risk': 'Critical (direct theft of card '
'details from checkout pages)',
'systems_affected': ['E-commerce platforms (e.g., Cisco '
'merchandise store, Shrwaa.com)',
'Third-party scripts (Polyfill.io, chat '
'widgets, analytics tools)',
'User browsers (client-side execution '
'environment)']},
'initial_access_broker': {'backdoors_established': 'Yes (persistent malicious '
'JavaScript on infected '
'sites)',
'data_sold_on_dark_web': 'Likely (stolen payment '
'data monetized via '
'underground markets)',
'entry_point': ['Compromised third-party scripts '
'(e.g., Polyfill.io, chat widgets)',
'Shadow scripts dynamically loaded '
'without approval',
'Vendor supply chain '
'vulnerabilities (e.g., customer '
'support tools)'],
'high_value_targets': ['E-commerce checkout pages',
'Payment processing forms',
'Authentication token '
'storage '
'(cookies/localStorage)'],
'reconnaissance_period': 'Varies (e.g., Polyfill.io '
'attack began in February '
'2024, detected during '
'holidays)'},
'investigation_status': 'Ongoing (industry-wide analysis of 2024 holiday '
'season attacks)',
'lessons_learned': ['Client-side attacks bypass traditional WAFs/IDS, '
'requiring specialized monitoring.',
'Third-party scripts introduce significant supply chain '
'risk, especially during high-traffic periods.',
'Encrypted traffic (HTTPS) obscures data exfiltration '
'from client-side attacks.',
'Development freezes during holidays delay patching, '
'exacerbating vulnerabilities.',
'Shadow scripts and dynamic code behavior evade static '
'analysis tools.',
'Compliance frameworks (e.g., PCI DSS 4.0.1) now '
'emphasize client-side risks but lack prescriptive '
'guidance.'],
'motivation': 'Financial Gain (theft of payment card data during '
'high-transaction holiday season)',
'post_incident_analysis': {'corrective_actions': ['Mandate CSP/SRI '
'implementation for all web '
'properties.',
'Integrate client-side '
'monitoring into SOC '
'operations.',
'Establish third-party '
'script governance programs '
'with risk tiering.',
'Automate script inventory '
'and change detection.',
'Update incident response '
'plans to include '
'client-side breach '
'scenarios.',
'Advocate for clearer '
'regulatory guidance on '
'client-side protections.'],
'root_causes': ['Over-reliance on server-side '
'security controls (WAFs/IDS) for '
'client-side threats.',
'Lack of visibility into '
'third-party script behavior and '
'dependencies.',
'Absence of runtime monitoring for '
'JavaScript execution in browsers.',
'Insufficient enforcement of '
'CSP/SRI despite availability of '
'standards.',
'Development freezes preventing '
'timely patching during peak '
'seasons.',
'Compliance frameworks lagging '
'behind client-side attack '
'evolution.']},
'recommendations': [{'actions': ['Deploy Content Security Policy (CSP) with '
"nonces (avoid 'unsafe-inline').",
'Implement Subresource Integrity (SRI) for '
'all third-party scripts.',
'Conduct quarterly audits of third-party '
'script inventory.',
'Enforce least-privilege data access for '
'scripts (e.g., limit cookie/localStorage '
'access).',
'Use browser-based CSP validators to test '
'policies before enforcement.'],
'category': 'Preventive Measures'},
{'actions': ['Deploy client-side monitoring tools (e.g., '
'RASP, Web Exposure Management).',
'Monitor for unexpected DOM manipulations or '
'data transmissions.',
'Track script behavior changes (e.g., new '
'network requests, dynamic code loading).',
'Set up alerts for unauthorized script '
'modifications or injections.'],
'category': 'Detection & Monitoring'},
{'actions': ['Develop client-side specific incident '
'playbooks (script isolation, customer '
'notifications).',
'Establish vendor escalation paths for '
'compromised third-party tools.',
'Pre-draft customer communication templates '
'for payment data breaches.',
'Define regulatory notification procedures '
'(e.g., PCI DSS, GDPR).'],
'category': 'Incident Response'},
{'actions': ['Secure executive sponsorship for '
'client-side security initiatives.',
'Budget for managed client-side security '
'services if in-house resources are limited.',
'Include client-side security requirements '
'in third-party vendor contracts.',
'Train developers on secure coding practices '
'for client-side scripts.',
'Avoid development freezes during peak '
'seasons without security exceptions.'],
'category': 'Organizational'},
{'actions': ['Align with PCI DSS 4.0.1 client-side '
'requirements.',
'Document client-side risk assessments for '
'auditors.',
'Implement logging for client-side events to '
'meet regulatory evidence needs.'],
'category': 'Compliance'}],
'references': [{'source': 'Cloudflare Holiday Season Traffic Report 2024'},
{'source': 'British Airways Breach Post-Mortem (2018)'},
{'source': 'Ticketmaster Customer Support Chat Breach Analysis '
'(2019)'},
{'source': 'Polyfill.io Supply Chain Attack Report (2024)'},
{'source': 'Cisco Magecart Incident Disclosure (September '
'2024)'},
{'source': 'PCI DSS 4.0.1 Client-Side Security Guidelines'}],
'regulatory_compliance': {'regulations_violated': ['PCI DSS 4.0.1 '
'(client-side data '
'protection requirements)',
'Potential GDPR violations '
'(for EU customer data)'],
'regulatory_notifications': 'Recommended: Mandatory '
'disclosure under '
'GDPR/PCI DSS for '
'affected entities'},
'response': {'adaptive_behavioral_waf': 'Recommended: Supplement traditional '
'WAFs with client-side protection',
'containment_measures': ['Recommended: Deploy Content Security '
'Policy (CSP) in report-only mode',
'Recommended: Implement Subresource '
'Integrity (SRI) for third-party '
'scripts',
'Recommended: Isolate and remove '
'malicious scripts',
'Recommended: Disable compromised '
'third-party integrations'],
'enhanced_monitoring': 'Recommended: Real-time JavaScript '
'execution monitoring',
'recovery_measures': ['Recommended: Develop client-side incident '
'playbooks',
'Recommended: Implement automated script '
'inventory tools',
'Recommended: Enhance customer '
'communication templates for breaches'],
'remediation_measures': ['Recommended: Conduct comprehensive '
'script audits',
'Recommended: Deploy client-side '
'monitoring tools (e.g., RASP, Web '
'Exposure Management)',
'Recommended: Enforce nonces for inline '
"scripts instead of 'unsafe-inline'",
'Recommended: Update PCI DSS 4.0.1 '
'controls for client-side risks']},
'stakeholder_advisories': ['E-commerce platforms: Audit third-party scripts '
'before holiday season.',
'Payment processors: Monitor for fraud spikes '
'linked to client-side skimming.',
'Regulators: Clarify client-side protection '
'expectations in PCI DSS/GDPR.',
'Security vendors: Develop integrated server-side '
'+ client-side monitoring solutions.'],
'title': '2024 Holiday Season Client-Side Attacks: Polyfill.io Breach and '
'Cisco Magecart Incident',
'type': ['Data Breach',
'Supply Chain Attack',
'E-skimming (Magecart)',
'Client-Side Injection',
'Payment Card Theft'],
'vulnerability_exploited': ['Lack of Content Security Policy (CSP) '
'enforcement',
'Absence of Subresource Integrity (SRI) checks',
'Unmonitored third-party script dependencies',
'Insufficient client-side runtime monitoring',
'Over-reliance on server-side WAFs/IDS for '
'client-side threats',
'PCI DSS 4.0.1 compliance gaps in client-side '
'data protection']}