British Airways Magecart card-skimming

On 6 September 2018, British Airways publicly disclosed that Magecart card-skimming operators had captured payment-card data from approximately 380,000 customer transactions over a 15-day window. The malicious JavaScript had been injected into a third-party script that BA loaded on its payment page — a textbook case of the Magecart supply-chain technique that has now affected hundreds of e-commerce operators worldwide.

The case became significant for the UK ICO's initial proposal of a £183.4 million fine under GDPR — at the time the largest proposed European data-protection penalty — though the final penalty was eventually reduced to £20 million amid COVID-19 mitigation arguments.

What happened

British Airways' payment pages loaded a JavaScript file called Modernizr from a third-party CDN. On or around 21 August 2018, Magecart operators compromised the third-party script and injected approximately 22 lines of malicious JavaScript that:

• Captured card data, expiration dates, CVVs, and cardholder names entered into BA's payment form.
• Exfiltrated the captured data to a typosquatted attacker-controlled domain (baways.com — visually similar to ba.com).
• Operated only on the payment page, leaving other BA pages untouched and reducing detection signal.

The same compromised script was loaded by BA's mobile app, extending the skimming to mobile transactions as well.

The card-skimming ran for 15 days before British Airways detected it during a routine security review and removed the malicious script. By then, approximately 380,000 transactions had been captured. BA subsequently revised its scope to include 429,000 unique customers with card data exposed.

The Magecart pattern

The British Airways operation was one of the highest-profile examples of the Magecart technique — supply-chain compromise of third-party JavaScript libraries loaded by major e-commerce operators. The same technique affected:

• Ticketmaster UK (June 2018) via a compromised chat-widget script
• Newegg (September 2018) via direct site compromise
• Macy's (October 2019)
• British Airways (this incident)
• Hundreds of smaller e-commerce operators

The Magecart ecosystem encompasses multiple distinct criminal groups (designated Magecart Group 1 through Group ~12 by RiskIQ) sharing common toolkits and tactics. The British Airways operation was attributed to Magecart Group 6 based on toolkit signatures.

ICO penalty and reduction

In July 2019, the UK Information Commissioner's Office announced an intent to fine British Airways £183.4 million under GDPR — approximately 1.5% of BA's 2017 global turnover, and at the time the largest GDPR penalty proposed by any EU regulator.

The proposal was politically significant because it demonstrated the ICO's intent to use GDPR's headline penalties (up to 4% of global turnover) rather than the much smaller penalties available under pre-GDPR UK law (a maximum £500,000 under the Data Protection Act 1998 — the cap that constrained the TalkTalk 2015 penalty).

In October 2020, the ICO issued a final penalty of £20 million — approximately 11% of the original proposal. The reduction cited:

• BA's COVID-19 financial position during 2020.
• BA's voluntary remediation and cooperation.
• BA's failure to challenge the underlying ICO findings (rather than the quantum), simplifying the proceedings.

The reduction was widely criticised as setting a permissive precedent. Subsequent GDPR enforcement has trended back toward the higher end of the available penalty range.

Impact

• 429,000 customers with payment-card data exposed.
• Card reissuance for affected cards, mostly absorbed by card-issuing banks via chargeback recovery.
• £20M ICO penalty + class-action settlement (confidential per-claimant amounts).
• BA's brand impact was modest by the standards of breaches at this scale — partly because BA's customer-facing response was rapid and clear.

Why it matters

British Airways / Magecart is the canonical European case for third-party JavaScript supply-chain risk in e-commerce. It established:

• That inline payment forms loading third-party JavaScript are exposed to skimming attacks at supply-chain scale. The mitigating control — iframe-based payment forms that load card-entry fields from a payment-processor's domain rather than from the merchant's domain — has since become PCI-DSS recommended practice partly because of British Airways.
• That the ICO would use GDPR's headline penalties for major breaches, at least directionally. The £183.4M initial proposal signalled enforcement intent even if the final penalty was significantly reduced.
• That third-party CDN-loaded scripts are an under-monitored attack surface. Most major e-commerce operators load dozens of third-party scripts on their payment pages; the British Airways case made the supply-chain exposure of those scripts a board-level concern.

The British Airways operation, combined with Ticketmaster (2018), Newegg (2018), and the broader Magecart campaign, has been the most-cited motivator for the rapid adoption of client-side security tools (CSP, SRI, runtime JavaScript monitoring) in e-commerce.