The cyber attack resulted in 380,000 customers’ personal and financial details ending up in the hands of criminals, with the airline warning those affected to contact their banks and promising full compensation.
Cyber security firm Risk IQ quickly identified it as a website credit card so-called skimming attack, where hackers infiltrate third-party software embedded in other websites to copy details entered by unsuspecting users.
Today it pointed the finger at a hacking outfit known as Magecart, which was also blamed for a hack on Ticketmaster earlier this year affecting up to 40,000 customers.
But Risk IQ warned its latest attack was much more sophisticated.
Rather than targeting third-party software embedded into a website, which is a typical approach to online skimming, Risk IQ’s analysis found that Magecart compromised the site itself, copying and modifying BA’s code supporting payments to send the payment details unwitting travellers type in to its own server.
The app shared many similarities with the website, making it easy for hackers to adjust their technique to target travellers paying via their smartphones, too.
"This attack is a highly targeted approach compared to what we’ve seen in the past with the Magecart skimmer,” said Yonathan Klijnsma, head researcher at RiskIQ.
"This skimmer is attuned to how British Airways’ payment page is set up, which tells us that the attackers carefully considered how to target this site in particular."
The firm’s analysis found that Magecart operatives could have infiltrated BA’s site days before the hack began on 21 August. A web certificate on the attacker’s main server was issued on 15 August.
Rob Shapland, principle cyber security consultant at Falanx Group, said BA could have prevented the hack simply by tracking any changes to its website’s code.
“The malicious code that steals the credit card details was injected into the site and would change the source code, meaning that it would be relatively simple to flag up the difference as soon as it occurred,” he said.
“One thing we don't know at this time is how the code was inserted into the site, as this could mean that the hackers had further access to BA systems."
BA declined to comment, saying a criminal investigation remains underway.