https://baways.com/

<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="preload" href="/_next/static/media/4de1fea1a954a5b6-s.p.woff2" as="font" crossorigin="" type="font/woff2"><link rel="preload" href="/_next/static/media/6d664cce900333ee-s.p.woff2" as="font" crossorigin="" type="font/woff2"><link rel="preload" href="/_next/static/media/7ff6869a1704182a-s.p.woff2" as="font" crossorigin="" type="font/woff2"><link rel="preload" href="/_next/static/media/886f446b96dc7734-s.p.woff2" as="font" crossorigin="" type="font/woff2"><link rel="preload" href="/_next/static/media/e693e841d50dcf2f-s.p.woff2" as="font" crossorigin="" type="font/woff2"><link rel="stylesheet" href="/_next/static/css/ffacef45bdb1b8a5.css" data-precedence="next"><link rel="stylesheet" href="/_next/static/css/86f3cfdf7682773b.css" data-precedence="next"><link rel="preload" as="script" fetchpriority="low" href="/_next/static/chunks/webpack-01145c95a45c76b0.js"><script src="/_next/static/chunks/c99d6d4a-49dda568a231e8a4.js" async=""></script><script src="/_next/static/chunks/594-c98796d75522a08b.js" async=""></script><script src="/_next/static/chunks/main-app-45bdb3c0f25595b6.js" async=""></script><script src="/_next/static/chunks/498-f19ca715fb56e018.js" async=""></script><script src="/_next/static/chunks/app/page-fb090dc4213ec22a.js" async=""></script><script src="/_next/static/chunks/app/layout-3b7240064aa74026.js" async=""></script><link rel="preload" href="https://www.googletagmanager.com/gtag/js?id=G-7R0Z0ZSXRF" as="script"><title>The Third-Party Script Breach That Shook The World</title><meta name="description" content="The British Airways data breach of 2018"><link rel="author" href="https://cside.dev"><meta name="author" content="c/side"><meta name="creator" content="c/side"><meta property="og:title" content="The Third-Party Script Breach That Shook The World"><meta property="og:description" content="The British Airways data breach of 2018"><meta property="og:image" content="https://baways.com/hero.webp"><meta name="twitter:card" content="summary_large_image"><meta name="twitter:site" content="@site"><meta name="twitter:creator" content="@csideai"><meta name="twitter:title" content="The Third-Party Script Breach That Shook The World"><meta name="twitter:description" content="The British Airways data breach of 2018"><meta name="twitter:image" content="https://baways.com/hero.webp"><link rel="icon" href="/favicon.ico" type="image/x-icon" sizes="48x48"><meta name="next-size-adjust"><script src="/_next/static/chunks/polyfills-78c92fac7aa8fdd8.js" nomodule=""></script></head><body class="__variable_14e21f __variable_1dd84e min-h-dvh relative overflow-x-clip"><div class="sticky top-0 left-0 w-screen bg-[#D40F0F] h-14 max-h-14 z-10"><h1 class="max-w-most w-full mx-auto px-4 py-3.5 flex flex-row items-center text-white gap-2 font-extrabold text-lg font-sans whitespace-nowrap font-lato"><svg width="497" height="140" viewBox="0 0 497 140" fill="none" xmlns="http://www.w3.org/2000/svg" preserveAspectRatio="xMinyMid" class="h-7 -mt-0.5 w-24"><path d="M439.471 79.423C439.471 60.5608 450.633 48.5068 468.267 48.5068C482.777 48.5068 496.058 58.1053 496.393 79.6463V82.9946H456.436C457.329 91.4771 461.57 96.6112 468.267 96.6112C472.955 96.6112 476.973 93.7093 478.87 88.7984L495.5 90.4725C492.263 102.415 481.549 110.339 468.267 110.339C450.633 110.339 439.471 98.2853 439.471 79.423ZM456.883 73.1728H479.317C477.866 66.0297 473.624 62.2349 468.267 62.2349C462.24 62.2349 458.222 66.2529 456.883 73.1728Z" fill="currentColor"></path><path d="M432.484 29.7561V109H417.304L416.97 100.406C413.733 106.768 408.487 110.339 400.451 110.339C386.388 110.339 377.906 97.6157 377.906 79.4231C377.906 61.2305 386.388 48.5068 400.451 48.5068C407.929 48.5068 413.063 51.9667 416.746 58.3286V29.7561H432.484ZM394.536 79.4231C394.536 89.3565 398.554 96.6112 406.255 96.6112C413.845 96.6112 417.863 89.2448 417.863 79.4231C417.863 69.4897 413.845 62.1233 406.255 62.1233C398.554 62.1233 394.536 69.3781 394.536 79.4231Z" fill="currentColor"></path><path d="M357.078 49.8461V95.0486H374.936V109H320.135V95.0486H341.229V63.7975H321.586V49.8461H357.078ZM341.118 42.9262V29.7561H356.966V42.9262H341.118Z" fill="currentColor"></path><path d="M292.276 69.0432C291.494 64.3556 288.146 62.2349 283.235 62.2349C278.771 62.2349 275.422 64.0207 275.757 67.369C276.092 71.0522 280.556 72.1683 288.927 74.0657C300.981 76.6328 309.91 82.9946 309.91 92.7048C309.91 104.312 300.2 110.339 285.244 110.339C270.288 110.339 258.904 102.192 258.011 89.6913L275.087 89.0216C275.534 93.9325 279.664 96.6112 285.244 96.6112C290.043 96.6112 293.28 95.3834 293.28 92.2583C293.28 89.0216 288.816 87.6823 281.114 85.7849C268.056 82.6598 259.127 76.856 259.127 67.2574C259.127 55.8731 269.842 48.5068 284.24 48.5068C297.298 48.5068 307.79 56.2079 309.575 68.3736L292.276 69.0432Z" fill="currentColor"></path><path d="M207.606 119.045L240.643 26.631H255.822L222.785 119.045H207.606Z" fill="currentColor"></path><path d="M182.984 73.6193C181.979 66.9226 177.515 62.2349 171.823 62.2349C164.233 62.2349 159.769 68.82 159.769 79.423C159.769 90.0261 164.233 96.6112 171.823 96.6112C177.85 96.6112 182.314 91.9235 183.207 85.1152L199.837 85.7849C198.386 100.406 186.779 110.339 171.823 110.339C154.188 110.339 143.139 98.2853 143.139 79.423C143.139 60.5608 154.188 48.5068 171.823 48.5068C186.332 48.5068 198.163 58.3286 199.614 72.7264L182.984 73.6193Z" fill="currentColor"></path><path fill-rule="evenodd" clip-rule="evenodd" d="M67.9518 6.20442C69.2724 5.7092 70.7276 5.7092 72.0482 6.20442L118.715 23.7044C120.992 24.5582 122.5 26.7347 122.5 29.1663V69.9997C122.5 90.1039 109.19 106.168 97.1746 116.681C91.0445 122.045 84.9418 126.238 80.3833 129.087C78.098 130.515 76.1852 131.616 74.8304 132.366C74.1526 132.741 73.6133 133.029 73.2356 133.227C73.0467 133.326 72.8981 133.403 72.7927 133.457C72.7721 133.468 72.7532 133.477 72.7359 133.486C72.7089 133.5 72.6861 133.512 72.6673 133.521L72.6295 133.54L72.617 133.546L72.6123 133.549C72.6105 133.55 72.6087 133.55 70 128.333C67.3913 133.55 67.3895 133.55 67.3877 133.549L67.383 133.546L67.3704 133.54L67.3327 133.521C67.3019 133.505 67.26 133.484 67.2073 133.457C67.1018 133.403 66.9533 133.326 66.7644 133.227C66.3867 133.029 65.8474 132.741 65.1696 132.366C63.8148 131.616 61.902 130.515 59.6167 129.087C55.0582 126.238 48.9555 122.045 42.8254 116.681C30.8102 106.168 17.5 90.1039 17.5 69.9997V29.1663C17.5 26.7347 19.0083 24.5582 21.2851 23.7044L67.9518 6.20442ZM70 128.333L67.3913 133.55C69.0335 134.372 70.9665 134.372 72.6087 133.55L70 128.333ZM70 121.699C71.1179 121.065 72.5474 120.227 74.2 119.194C78.3915 116.574 83.9556 112.746 89.4921 107.901C100.81 97.9979 110.833 84.8955 110.833 69.9997V33.2088L70 17.8963L29.1667 33.2088V69.9997C29.1667 84.8955 39.1898 97.9979 50.5079 107.901C56.0445 112.746 61.6085 116.574 65.8 119.194C67.4526 120.227 68.8821 121.065 70 121.699Z" fill="currentColor"></path><mask id="mask0_373_1224" style="mask-type:alpha" maskUnits="userSpaceOnUse" x="17" y="5" width="106" height="130"><path fill-rule="evenodd" clip-rule="evenodd" d="M72.0482 6.20442C70.7276 5.7092 69.2724 5.7092 67.9518 6.20442L21.2851 23.7044C19.0083 24.5582 17.5 26.7347 17.5 29.1663V69.9997C17.5 90.1039 30.8102 106.168 42.8254 116.681C48.9555 122.045 55.0582 126.238 59.6167 129.087C61.902 130.515 63.8148 131.616 65.1696 132.366C65.8474 132.741 66.3867 133.029 66.7644 133.227C66.9533 133.326 67.1018 133.403 67.2073 133.457C67.26 133.484 67.3019 133.505 67.3327 133.521L67.3704 133.54L67.383 133.546L67.3877 133.549C67.3895 133.55 67.3913 133.55 69.9999 128.333L67.3913 133.55C69.0335 134.372 70.9665 134.372 72.6087 133.55L69.9999 128.333C72.6086 133.55 72.6105 133.55 72.6123 133.549L72.617 133.546L72.6295 133.54L72.6673 133.521L72.7359 133.486L72.7927 133.457C72.8982 133.403 73.0467 133.326 73.2356 133.227C73.6133 133.029 74.1526 132.741 74.8304 132.366C76.1852 131.616 78.098 130.515 80.3833 129.087C84.9418 126.238 91.0445 122.045 97.1746 116.681C109.19 106.168 122.5 90.1039 122.5 69.9997V29.1663C122.5 26.7347 120.992 24.5582 118.715 23.7044L72.0482 6.20442Z" fill="currentColor"></path></mask><g mask="url(#mask0_373_1224)"><path d="M63.0073 119.741C59.4887 96.1154 68.0841 77.2661 75.6192 66.0522C76.187 65.2072 76.1232 64.0867 75.4471 63.3256C74.5909 62.3617 73.0903 62.3392 72.2277 63.2973C55.9914 81.329 49.9015 100.332 47.0801 116.958C46.8779 118.15 47.5412 119.314 48.6616 119.767L54.2866 122.043C54.4968 122.128 54.7173 122.185 54.9423 122.213L60.0533 122.847C61.8114 123.065 63.2682 121.494 63.0073 119.741Z" fill="currentColor"></path><path fill-rule="evenodd" clip-rule="evenodd" d="M76.6824 62.2279C75.188 60.5454 72.5374 60.4827 70.9989 62.1913C54.4898 80.526 48.3055 99.8555 45.4501 116.681C45.1156 118.653 46.215 120.56 48.0412 121.299L53.6662 123.575C54.01 123.715 54.3705 123.808 54.7385 123.854L54.9419 122.213L54.7385 123.854L59.8495 124.487C62.7539 124.848 65.0545 122.27 64.6417 119.498C61.2038 96.4139 69.5965 77.9784 76.9907 66.9741C77.9694 65.5176 77.8701 63.5651 76.6824 62.2279ZM73.4556 64.4033C73.6424 64.1958 73.9931 64.1781 74.2109 64.4233C74.3753 64.6084 74.4038 64.8968 74.2469 65.1304C66.571 76.5539 57.7727 95.817 61.372 119.985C61.4811 120.718 60.8682 121.283 60.2562 121.207L55.1453 120.573C55.0632 120.563 54.9829 120.542 54.9062 120.511L54.2862 122.043L54.9062 120.511L49.2812 118.235C48.8666 118.067 48.6394 117.647 48.7093 117.235C51.4966 100.809 57.4921 82.132 73.4556 64.4033Z" fill="currentColor"></path><path d="M95.5877 87.6594C90.8551 72.7306 80.4575 61.9938 75.8503 58.4915C72.7212 56.9925 75.783 54.0477 86.336 58.4297C106.924 66.9785 101.503 106.32 95.5877 87.6594Z" fill="currentColor"></path><path fill-rule="evenodd" clip-rule="evenodd" d="M77.2309 57.6432C78.7988 57.623 81.5806 58.0982 85.7542 59.8312C90.4752 61.7916 93.7611 65.5356 95.9411 69.9051C98.1257 74.2836 99.1552 79.2096 99.3856 83.3329C99.5006 85.3915 99.4141 87.2113 99.1897 88.6283C99.0242 89.6738 98.8019 90.3775 98.6074 90.796C98.2027 90.2421 97.648 89.1364 97.0344 87.2008C92.3374 72.384 82.2188 61.6147 77.2309 57.6432ZM98.9388 91.1574C98.9388 91.1572 98.9366 91.1557 98.9321 91.1532C98.9366 91.1563 98.9388 91.1575 98.9388 91.1574ZM75.0437 59.785C74.5923 59.5526 74.1742 59.2609 73.845 58.8975C73.4821 58.4969 73.1472 57.9123 73.1678 57.19C73.1893 56.433 73.5909 55.8479 74.0659 55.4701C74.5191 55.1097 75.0759 54.8975 75.6337 54.7737C77.7976 54.2935 81.5655 54.8056 86.9181 57.0282C92.4909 59.3422 96.2479 63.7217 98.6569 68.55C101.061 73.3693 102.167 78.7153 102.416 83.1635C102.54 85.3906 102.452 87.4313 102.187 89.103C101.936 90.6926 101.486 92.2128 100.689 93.15C100.259 93.6562 99.5869 94.1474 98.685 94.1415C97.8158 94.1358 97.1293 93.6677 96.6451 93.1696C95.7065 92.2041 94.8899 90.4796 94.1412 88.118C89.5617 73.672 79.5179 63.2322 75.0437 59.785Z" fill="currentColor"></path><path d="M76.4001 91.4283C79.5707 78.5285 76.7878 66.1773 74.9999 61.6142C73.397 59.1526 76.9149 58.3639 82.6184 66.1776C93.7453 81.4212 72.4369 107.553 76.4001 91.4283Z" fill="currentColor"></path><path fill-rule="evenodd" clip-rule="evenodd" d="M76.8156 62.1696C77.9181 62.9614 79.4867 64.4608 81.3929 67.0723C83.9019 70.5096 84.621 74.606 84.2718 78.6922C83.9218 82.7884 82.502 86.7812 80.8582 89.8495C80.0377 91.381 79.1797 92.648 78.4035 93.5618C78.017 94.0168 77.686 94.3422 77.421 94.5672C77.4384 93.9789 77.5569 93.081 77.8741 91.7905C80.9087 79.444 78.6545 67.6108 76.8156 62.1696ZM77.4894 95.343C77.4895 95.3429 77.4885 95.3403 77.4863 95.3355C77.4882 95.3408 77.4894 95.3432 77.4894 95.343ZM73.6373 62.2971C73.4079 61.9178 73.2256 61.5025 73.1427 61.067C73.0497 60.5787 73.0638 59.9421 73.4395 59.3635C73.8338 58.7563 74.4499 58.4821 75.0107 58.4107C75.544 58.3427 76.0779 58.4431 76.5566 58.6054C78.4061 59.2323 80.9437 61.3091 83.8443 65.2828C86.8988 69.4674 87.6887 74.3538 87.2959 78.9507C86.9039 83.5376 85.3306 87.9282 83.5336 91.2827C82.6336 92.9626 81.6594 94.4169 80.7167 95.5267C79.8276 96.5734 78.7965 97.5196 77.7429 97.8694C77.17 98.0596 76.3894 98.1334 75.6601 97.6841C74.9578 97.2515 74.644 96.5402 74.5063 95.9346C74.2405 94.7654 74.4241 93.1109 74.9267 91.0661C77.9767 78.6568 75.3399 66.7421 73.6373 62.2971Z" fill="currentColor"></path><path d="M102.012 60.0032C92.5991 55.3739 82.777 55.4601 79.0426 56.0819C76.9392 56.9131 76.8261 54.0488 83.5882 50.9323C96.7804 44.8523 113.779 65.7898 102.012 60.0032Z" fill="currentColor"></path><path fill-rule="evenodd" clip-rule="evenodd" d="M80.6645 54.364C81.4388 53.7741 82.5829 53.0666 84.2235 52.3105C87.0838 50.9922 90.2126 51.1051 93.2357 52.0472C96.2663 52.9917 99.0846 54.7414 101.179 56.5156C102.223 57.4004 103.059 58.2668 103.636 59.0065C103.662 59.0409 103.689 59.0749 103.714 59.1084C103.42 58.9887 103.077 58.8357 102.682 58.6414C94.2096 54.4748 85.4331 53.9857 80.6645 54.364ZM79.2573 55.8532C79.2587 55.8525 79.2649 55.8388 79.2718 55.8142C79.2594 55.8417 79.2559 55.8539 79.2573 55.8532ZM105.146 59.5071C105.146 59.507 105.144 59.5071 105.14 59.5075C105.144 59.5073 105.146 59.5071 105.146 59.5071ZM79.429 57.5568C79.0833 57.6762 78.7057 57.754 78.3182 57.7442C77.8647 57.7326 77.296 57.5928 76.8427 57.1404C75.8631 56.1627 76.3235 54.8668 76.663 54.253C77.4578 52.816 79.4909 51.1497 82.9531 49.5541C86.6889 47.8324 90.6319 48.0567 94.1387 49.1496C97.6379 50.2401 100.807 52.223 103.141 54.1999C104.31 55.1906 105.299 56.2044 106.029 57.1394C106.709 58.0114 107.325 59.0159 107.456 59.9652C107.527 60.4785 107.481 61.2112 106.937 61.8127C106.406 62.3988 105.69 62.5372 105.156 62.5429C104.136 62.5539 102.836 62.0994 101.343 61.365C92.3844 56.9594 83.0216 56.9966 79.429 57.5568Z" fill="currentColor"></path><path d="M63.19 38.1293C71.2456 44.8483 75.1589 53.8576 76.1086 57.5224C76.204 59.782 78.8671 58.7213 78.9662 51.2762C79.1595 36.7516 53.1206 29.7304 63.19 38.1293Z" fill="currentColor"></path><path fill-rule="evenodd" clip-rule="evenodd" d="M77.019 55.3424C77.2433 54.3951 77.4247 53.0622 77.4487 51.256C77.4906 48.1068 76.1159 45.2939 74.0264 42.9147C71.9317 40.5296 69.1876 38.6657 66.7153 37.4733C65.4824 36.8786 64.3513 36.4677 63.441 36.241C63.3986 36.2304 63.3569 36.2203 63.3159 36.2107C63.5449 36.431 63.8239 36.6819 64.162 36.9639C71.4126 43.0115 75.4265 50.8317 77.019 55.3424ZM76.2303 57.2333C76.2304 57.2318 76.2404 57.2205 76.26 57.2043C76.24 57.2268 76.2302 57.2349 76.2303 57.2333ZM62.3698 35.0648C62.3699 35.0648 62.3705 35.0665 62.3715 35.0697C62.3703 35.0664 62.3698 35.0648 62.3698 35.0648ZM74.604 57.7689C74.6354 58.1333 74.7177 58.5099 74.8842 58.8599C75.0791 59.2697 75.438 59.7324 76.0356 59.9627C77.327 60.4604 78.324 59.513 78.7467 58.9534C79.7367 57.6431 80.4328 55.1083 80.4835 51.2964C80.5383 47.1833 78.7307 43.6718 76.3069 40.9119C73.8883 38.158 70.7884 36.0682 68.0338 34.7396C66.6533 34.0737 65.3252 33.5824 64.1743 33.2958C63.1011 33.0286 61.9327 32.8735 61.0122 33.14C60.5145 33.2841 59.8634 33.6233 59.5353 34.3655C59.2156 35.0888 59.3801 35.7992 59.5917 36.2889C59.9964 37.2257 60.9401 38.2287 62.218 39.2946C69.8843 45.689 73.6556 54.2587 74.604 57.7689Z" fill="currentColor"></path><path d="M52.4915 72.9829C60.3869 66.0764 69.8971 63.6191 73.6653 63.2538C75.912 63.5127 75.2805 60.7166 67.9424 59.4552C53.6265 56.9943 42.6223 81.616 52.4915 72.9829Z" fill="currentColor"></path><path fill-rule="evenodd" clip-rule="evenodd" d="M71.654 62.0138C70.7534 61.6443 69.4652 61.2568 67.6849 60.9508C64.581 60.4172 61.5878 61.3355 58.9113 63.0275C56.2282 64.7237 53.9584 67.1428 52.3942 69.3984C51.6142 70.5233 51.0315 71.5762 50.6653 72.4399C50.6483 72.4801 50.6318 72.5197 50.6159 72.5587C50.8693 72.367 51.1606 72.1306 51.492 71.8407C58.5984 65.6244 66.9498 62.8819 71.654 62.0138ZM73.3984 63.0884C73.3969 63.088 73.3873 63.0764 73.3744 63.0545C73.3935 63.0778 73.4 63.0887 73.3984 63.0884ZM49.3362 73.3141C49.3363 73.314 49.338 73.3137 49.3413 73.3132C49.3379 73.3139 49.3362 73.3141 49.3362 73.3141ZM73.6733 64.7784C74.0381 64.8043 74.423 64.7818 74.7947 64.6721C75.2298 64.5437 75.7429 64.2615 76.0638 63.7072C76.7572 62.5094 75.9772 61.3767 75.4906 60.8716C74.3511 59.6891 71.9562 58.6054 68.1991 57.9596C64.1451 57.2627 60.3943 58.4993 57.2896 60.462C54.1915 62.4205 51.6429 65.1558 49.9001 67.6689C49.0267 68.9284 48.3339 70.1634 47.871 71.2554C47.4393 72.2736 47.1035 73.4034 47.2229 74.3543C47.2874 74.8684 47.5207 75.5644 48.2025 76.0045C48.867 76.4333 49.5943 76.3818 50.1111 76.2494C51.0996 75.9961 52.2378 75.2207 53.4903 74.1251C61.0042 67.5523 70.058 65.1666 73.6733 64.7784Z" fill="currentColor"></path><path d="M38.0206 52.4632C53.6611 51.6623 67.3614 57.6364 72.2565 60.7236C74.7573 63.1286 76.4419 59.2288 68.6387 50.8816C53.4154 34.5969 18.47 53.4644 38.0206 52.4632Z" fill="currentColor"></path><path fill-rule="evenodd" clip-rule="evenodd" d="M72.5675 59.1333C72.0368 57.6578 70.6166 55.2191 67.5306 51.9179C64.0396 48.1836 59.3813 46.4187 54.5249 45.9086C49.6585 45.3975 44.6841 46.1602 40.7417 47.3898C38.7734 48.0037 37.0994 48.7227 35.851 49.4295C34.9298 49.9511 34.3487 50.406 34.025 50.7348C34.6856 50.9196 35.9156 51.0515 37.9434 50.9477C53.4666 50.1527 67.0995 55.854 72.5675 59.1333ZM33.5703 50.551C33.5705 50.551 33.5727 50.5526 33.5766 50.5559C33.5721 50.5528 33.5702 50.5511 33.5703 50.551ZM71.3283 61.9325C71.7042 62.2738 72.124 62.5631 72.5797 62.744C73.0821 62.9434 73.747 63.0522 74.4162 62.7797C75.1176 62.4942 75.5249 61.913 75.7122 61.3357C75.8909 60.7849 75.8944 60.189 75.8148 59.6232C75.506 57.4283 73.7056 54.079 69.7477 49.8452C65.627 45.4372 60.2084 43.4538 54.842 42.8902C49.4856 42.3276 44.0911 43.1659 39.838 44.4924C37.7087 45.1565 35.8283 45.9545 34.3556 46.7884C32.955 47.5814 31.689 48.5354 31.0905 49.6103C30.7673 50.1908 30.5428 50.9923 30.8645 51.8348C31.1746 52.6469 31.8536 53.1257 32.4899 53.4047C33.7231 53.9452 35.6244 54.1055 38.0987 53.9788C53.2333 53.2037 66.5315 58.9506 71.3283 61.9325Z" fill="currentColor"></path></g></svg>SPECIAL REPORT</h1></div><main class="w-full"><article class="w-full"><header class="relative bg-cover bg-center bg-[url('/hero.webp')] w-full h-[calc(100vh-3.5rem)] flex flex-col items-center animate-[hero-animation-mobile_linear_forwards] lg:animate-[hero-animation_linear_forwards] bg-no-repeat" style="animation-timeline:scroll();animation-range:0vh 90vh"><div class="absolute w-full h-full bg-gradient-to-b from-transparent via-90% via-black to-black"></div><div class="absolute w-full px-4 sm:min-w-[10rem] sm:w-3/5 bottom-16 text-white text-center"><h1 class="text-5xl sm:text-6xl min-w-[10rem] mb-6 text-balance text-center">The Third-Party Script Breach That Shook The World</h1><h2 class="text-xl sm:text-2xl mb-14 font-lato text-center text-balance">How the British Airways' data breach kickstarted today's toughest web security challenge</h2><p class="text-lg font-lato text-center">by<!-- --> <a href="https://cside.dev" rel="noopener referrer" target="_blank" class="font-lato hover:underline">c/side.dev</a></p></div></header><section class="bg-white w-full flex flex-col items-center text-lg sm:text-xl !leading-8"><div class="w-full px-10 sm:px-24 md:px-0 md:w-[38rem] py-16 max-w-most"><p class="italic text-sm sm:text-base">The story below is brought to you as educational material and is in no way a criticism towards British Airways' security operations. At the time of the attack insufficient security tooling existed to detect attacks leveraging 3rd party resources. To this day the majority of tooling is unable to detect advanced attacks of this particular type.</p><hr class="w-[20rem] mx-auto my-12 border"><p>It happened between<!-- --> <a href="https://www.theguardian.com/business/2018/sep/06/british-airways-customer-data-stolen-from-its-website" rel="noopener referrer" target="_blank" class="border-b border-dotted underline text-main-primary border-main-primary">August 21 and September 5</a> <!-- -->2018. During those 16 days, a sophisticated cyberattack hit the British Airways website and app. It exposed the personal data of roughly 300,000 to 500,000 customers.</p><br><p>Payment data were copied and sent to baways.com, a domain that looks very much like the official website and set up specifically to deceive.</p><br><div class="flex items-center justify-center p-6 sm:p-10 font-semibold text-sm border border-main-900">You have landed on baways.com. The shady stuff is gone. This domain now serves a new purpose: telling the story of what went down.</div><br><p>This is not just a chilling story from the past. Every day, somewhere, a company faces this kind of challenge.<!-- --> <a href="https://en.wikipedia.org/wiki/British_Airways_data_breach" rel="noopener referrer" target="_blank" class="border-b border-dotted underline text-main-primary border-main-primary">The British Airways hack in 2018</a> <a href="https://money.cnn.com/2018/09/07/investing/ba-hack-british-airways/index.html" rel="noopener referrer" target="_blank" class="border-b border-dotted underline text-main-primary border-main-primary">made headlines all around the world</a> <!-- -->and kept the airline in a hot seat for years. The 2018 British Airways Data Breach reminds us of the ever-present threat of cyberattacks.</p><br><div>In 2020 the<!-- --> <div class="" style="display:inline" data-tooltipped="" aria-describedby="tippy-tooltip-1" data-original-title="The ICO oversees and enforces data protection laws in the UK. It keeps an eye on personal data to make sure it is processed securely and transparently."><span class="rounded-md bg-main-100 p-1 hover:bg-main-200 transition-colors duration-75"><a href="https://ico.org.uk/" rel="noopener referrer" target="_blank" class="border-b border-dotted underline text-main-primary border-main-primary">Information Commissioner's Office (ICO)</a><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="text-main-200 fill-main-600 inline -mt-1 ml-1"><circle cx="12" cy="12" r="10" stroke-width="0"></circle><path d="M12 16v-4"></path><path d="M12 8h.01"></path></svg></span></div> <!-- -->published its<!-- --> <a href="https://ico.org.uk/media/action-weve-taken/mpns/2618421/ba-penalty-20201016.pdf" rel="noopener referrer" target="_blank" class="border-b border-dotted underline text-main-primary border-main-primary">Monetary Penalty Notice.</a></div><br><p>In this case, the ICO proposed an unprecedented fine of over £183 million for failing to keep customers' data safe. Some of the details of the breach remain undisclosed to this day.</p></div></section><section class="w-full flex flex-col bg-[url('/paper_texture.webp')] bg-repeat-y bg-contain"><div class="relative w-full text-white text-lg sm:text-xl !leading-8 flex flex-col"><div class="flex flex-col relative h-auto w-full lg:px-24 px-4 sm:px-12 md:px-6 max-w-most mx-auto my-[16rem]"><img id="gaining_access" alt="A stack of paper cutouts, one of which is a laptop with hands at the keyboard on top of a cutout of the script that executed the attack" loading="lazy" width="2494" height="1864" decoding="async" data-nimg="1" class="absolute right-0 -mr-4 sm:-mr-12 md:-mr-6 lg:-mr-16 max-w-4xl top-1/3" style="color:transparent" src="/gaining_access.webp"><div class="relative w-full md:w-1/2 bg-black/90 rounded-lg p-10 flex flex-col items-center md:left-0"><h3 class="text-2xl font-semibold font-lato mb-4 text-center">22 June 2018</h3><h2 class="text-3xl font-semibold font-lato mb-4 text-center">Gaining access and gathering intel</h2><p>On June 22, the attacker sneaked into British Airways' systems using a remote-control access tool, Citrix Access Gateway (CAG). Somehow, the attacker got the login details of a Swissport employee, a cargo services provider.</p><br><p>The account that got hacked didn't have multi factor authentication (MFA) enabled. The stolen Swissport credentials gave the attacker access to the British Airways applications. Then, they started to poke around.</p><br><p>The attacker found a way out of the confined remote access (Citrix) environment that should have restricted users to safe parts of the network. British Airways explained in their report to the ICO,<!-- --> <a href="https://ico.org.uk/media/action-weve-taken/mpns/2618421/ba-penalty-20201016.pdf" rel="noopener referrer" target="_blank" class="border-b border-dotted underline text-white border-white">Monetary Penalty Notice</a> <!-- -->(sections 3.10, 3.11), they're not exactly sure how the attacker pulled this off. The official documents blacked out the hypothetical details.</p><br><p>Once the attacker bypassed the initial hurdles, they dug in deeper. Then they brought in tools to further explore the British Airways' network. It's like gathering the intel for the attack. They checked the network for loopholes and vulnerabilities, and sized up the security setup, setting the groundwork for the attack plan.</p></div></div><div class="flex flex-col relative h-auto w-full lg:px-24 px-4 sm:px-12 md:px-6 max-w-most mx-auto my-[16rem]"><img id="keys_to_the_castle" alt="A stack of paper cutouts, one of which is a laptop on top of a cutout of information from the British Airways penalty notice" loading="lazy" width="1942" height="1711" decoding="async" data-nimg="1" class="absolute left-8 -ml-4 sm:-ml-12 md:-ml-6 lg:-ml-16 max-w-3xl top-1/3" style="color:transparent" src="/keys_to_the_castle.webp"><div class="relative w-full md:w-1/2 bg-black/90 rounded-lg p-10 flex flex-col items-center md:left-1/2"><h3 class="text-2xl font-semibold font-lato mb-4 text-center">23-26 June 2018</h3><h2 class="text-3xl font-semibold font-lato mb-4 text-center">Finding the keys to the castle</h2><p>Consider this: While snooping around, the attacker found the login credentials of a privileged domain administrator account (<a href="https://ico.org.uk/media/action-weve-taken/mpns/2618421/ba-penalty-20201016.pdf" rel="noopener referrer" target="_blank" class="border-b border-dotted underline text-white border-white">ICO MNP, section 3.15</a>).</p><br><p class="font-bold">These credentials were just sitting in a file: unencrypted, in plain text.</p><br><p>This is a critical security oversight. It's also a game changer in this story. A domain administrator account is one of the highest user levels. This account has control over the settings and configuration of the domain. It can add and remove users. It manages privileges and security settings. Also, it has access to all computers and servers in the domain.</p><br><p>Now the attacker held the keys to the castle, giving them free access to mess up the network resources.</p><br><p>On June 23, they tried to log in with the system administrator's credentials. Three attempts failed. But two days later, on June 25, the attacker managed to log in into three different servers. What happened there is insider knowledge (<a href="https://ico.org.uk/media/action-weve-taken/mpns/2618421/ba-penalty-20201016.pdf" rel="noopener referrer" target="_blank" class="border-b border-dotted underline text-white border-white">see blacked out section 3.18 of the ICO MNP</a>). And on June 26, the attacker found the username and password of a database administrator. This adds a new twist to this story.</p></div></div><div class="flex flex-col relative h-auto w-full lg:px-24 px-4 sm:px-12 md:px-6 max-w-most mx-auto my-[16rem]"><img id="payment_cards" alt="A hand holding a credit card, on top of a paper cutout of the script that executed the attack on British Airways" loading="lazy" width="2141" height="1550" decoding="async" data-nimg="1" class="absolute right-0 -mr-4 sm:-mr-12 md:-mr-6 lg:-mr-16 max-w-4xl top-1/3" style="color:transparent" src="/payment_cards.webp"><div class="relative w-full md:w-1/2 bg-black/90 rounded-lg p-10 flex flex-col items-center md:left-0"><h3 class="text-2xl font-semibold font-lato mb-4 text-center">26 July 2018</h3><h2 class="text-3xl font-semibold font-lato mb-4 text-center">Payment cards in plain sight</h2><p>By now, the attacker is getting pretty comfortable. They logged into servers to check out what data they could use. The research was worth it: on July 26 they stumbled upon log files with payment card details. More good news for the attacker, because they were stored in plain text.</p><br><p>Roughly 108,000 payment cards used in redemption transactions were exposed. They were used for things like flight miles, rewards, and such.</p><br><p><span class="font-bold">Now figure this:</span> these payment data weren't supposed to be stored at all. It turned out that this was a testing feature, and it was not supposed to be used when the systems went live.</p><br><p>British Airways reported that the payment card details were stored in plain text due to human error. As a consequence, payment card details had been logged since December 2015. The data were only being kept for 95 days.</p><br><p>Busy days for the attacker. The next discovery were files that contained the code for the British Airways' website.</p></div></div><div class="flex flex-col relative h-auto w-full lg:px-24 px-4 sm:px-12 md:px-6 max-w-most mx-auto my-0 bg-[url('/theft_of_customer_data.webp')] bg-fixed bg-center bg-cover max-w-none"><div class="relative w-full md:w-1/2 bg-black/90 rounded-lg p-10 flex flex-col items-center md:left-1/2 my-[16rem] max-w-[48rem]"><h3 class="text-2xl font-semibold font-lato mb-4 text-center">14 August - 5 September 2018:</h3><h2 class="text-3xl font-semibold font-lato mb-4 text-center">… and action!</h2><p>Now here we are, at last, at the heart of the breach. The attack is about to go down and roughly 300,000 to 500,000 individuals are about to be affected.</p><br><p>On a side note, it can be really tough to precisely pin down what data is impacted and over what timeframe because of the complexity of the attack vector's dynamic ability, especially since often website owners have no real insight into what happens in the browser of a user. Also, it takes time for forensics to determine the nature of the attack and understand the breach.</p><br><p>What is about to happen now? Let's make an educated guess. The attacker is ready to inject malicious code into a file that is being used on British Airways' website. They are doing some testing and optimizing to make sure the script is working as intended.</p><br><p>The code should secretly copy the payment card data customers enter into the payment form on the British Airways' website or in the app. And remain undetected for as long as possible. Next, it should send the data to an endpoint they control. And so, in a sneaky and sophisticated move, the attacker is skimming the payment cards.</p><br><p>It was happening right under everybody's nose without any disruption of the payment process.</p></div></div></div></section><section class="relative w-full bg-black py-24 flex flex-col items-center px-8 sm:px-20"><div class="w-full max-w-[44rem]"><img alt="A description of the attack from the penalty notice (as follows): 3.25. Between 14 August 2018 and 25 August 2018, the Attacker [redacted] to redirect customer payment card data to a different website: 'BAways.com'. BAways.com was a site owned and controlled by the Attacker. It appears from BA's Second Representations that [redacted] had the effect of copying and redirecting payment card data to 'BAways.com' (which BA refers to as 'skimming'). [redacted] remained active on BA's website for a period of 15 days between 21 August 2018 and 5 September 2018. During this time, when customers entered payment card information into BA's website, a copy was sent to the Attacker, without interrupting the normal BA booking and payment procedure." loading="lazy" width="1724" height="916" decoding="async" data-nimg="1" class="mb-6 rounded-md" style="color:transparent" src="/attack_description.webp"><p class="italic text-sm sm:text-base underline text-white"><a href="https://ico.org.uk/media/action-weve-taken/mpns/2618421/ba-penalty-20201016.pdf" rel="noopener referrer" target="_blank" class="border-b border-dotted underline text-white border-white">Description of the attack - the ICO Monetary Penalty Notice, section 3.15</a> <!-- -->clearly stating that the skimming took place between 21 August and 5 September</p></div></section><section id="big-map" class="hidden md:flex w-full flex-col text-white text-lg sm:text-xl !leading-8 transition-all duration-300 ease-in-out" style="background-image:url('/big_map.webp');background-attachment:fixed;background-size:max(300dvw, 96rem) auto;background-position:8% 0%"><div class="flex flex-col relative my-[32rem] h-auto w-full lg:px-24 px-4 sm:px-12 md:px-6 max-w-most mx-auto"><div class="relative w-full md:w-1/2 bg-black/90 rounded-lg p-10 flex flex-col items-center md:left-0"><h3 class="text-2xl font-semibold font-lato mb-4 text-center">Step 1</h3><h2 class="text-3xl font-semibold font-lato mb-4 text-center">The domain baways.com is set up</h2><p>The attacker set up the domain baways.com as part of their strategy. It is common for the brand to use 'BA' in their marketing materials, therefore the domain name wouldn't immediately cause concern.</p><br><p>At the time, the domain was<!-- --> <a href="https://schoenbaum.medium.com/inside-the-breach-of-british-airways-how-22-lines-of-code-claimed-380-000-victims-8ce1582801a0" rel="noopener referrer" target="_blank" class="border-b border-dotted underline text-white border-white">hosted in Romania and provided by a Lithuania hosting provider that rents out virtual servers cheaply, starting from 2 euros per month</a>. If security monitoring was in place, this might have raised a couple of red flags.</p><br><p>On the other hand, the payment data was sent from the customer's computer.</p></div></div><div class="flex flex-col relative my-[32rem] h-auto w-full lg:px-24 px-4 sm:px-12 md:px-6 max-w-most mx-auto"><div class="relative w-full md:w-1/2 bg-black/90 rounded-lg p-10 flex flex-col items-center md:left-1/2"><h3 class="text-2xl font-semibold font-lato mb-4 text-center">Step 2</h3><h2 class="text-3xl font-semibold font-lato mb-4 text-center">A third-party script enters the picture…</h2><p>Here's where third-party scripts come into the picture. Essentially, these scripts are lines of code from outside sources used to make a website interactive. Think of chatbots, newsletter sign-up forms, social media features, marketing monitoring, captchas, advertising, and analytic tools…</p><br><p>One tiny weak spot in one of those third party scripts can cause a big security headache.</p><br><p>Monitoring all these external scripts and keeping users safe is a huge challenge. Website owners have only limited control over the content of those scripts because they are often hosted and managed elsewhere. If a vendor makes a mistake or is unaware of a security vulnerability in their code or infrastructure, that might leave doors and windows open for bad actors.</p><br><p>Adding more scripts also means more potential security gaps to monitor. What is okay today, might be a security incident tomorrow.</p><br><p>Some third party scripts are developed and offered by companies or external consultants that may lack the necessary technical expertise. That makes it harder for website owners to monitor the security of their applications over time, expanding the risk.</p><br><p>Also, marketing automation firms can get acquired by larger firms without their customer noticing. These acquisitions frequently lead to personnel changes. Consequently scripts may go unmonitored as the maintainers are no longer with the company, and the new owner may be unaware of their existence or the associated risk. In the most extreme cases this can lead to a full fledged domain takeover if they forget to renew the domain name used to host a script.</p></div></div><div class="flex flex-col relative my-[32rem] h-auto w-full lg:px-24 px-4 sm:px-12 md:px-6 max-w-most mx-auto"><div class="relative w-full md:w-1/2 bg-black/90 rounded-lg p-10 flex flex-col items-center md:left-0"><h3 class="text-2xl font-semibold font-lato mb-4 text-center">Step 3</h3><h2 class="text-3xl font-semibold font-lato mb-4 text-center">Injecting malicious code</h2><p>Typically, any website these days uses a lot of JavaScript, a programming language to build interactive websites, as well as a dozen or a couple of dozen external scripts. The<!-- --> <a href="https://schoenbaum.medium.com/inside-the-breach-of-british-airways-how-22-lines-of-code-claimed-380-000-victims-8ce1582801a0" rel="noopener referrer" target="_blank" class="border-b border-dotted underline text-white border-white">British Airways website at the time of the breach loaded roughly 20 different scripts</a>. It loaded 30, if you count the booking page.</p><br><p>When you visit a website, the website asks your browser to go to another source to obtain a piece of code. Your browser would execute this code. From the browsers point of view, a script is legitimate. For example, listening to the inputs on a form is a totally legitimate action for a script to perform. However, if the data is sent to an endpoint owned by a bad actor, it could have a negative impact: browsers are not set up to assess endpoint legitimacy.</p><br><p>In this case, the attacker injected harmful code in a JavaScript library called<!-- --> <a href="https://modernizr.com/" rel="noopener referrer" target="_blank" class="border-b border-dotted underline text-white border-white">Modernizr</a>. Modernizr helps websites run well in all kinds of browsers. It is widely used, also by the British Airways website. As a result, the British Airways web server<!-- --> <a href="https://www.linkedin.com/pulse/british-airways-data-breach-something-we-can-all-learn-michael-brown/" rel="noopener referrer" target="_blank" class="border-b border-dotted underline text-white border-white">served the Modernizr-version compromised by the attacker</a>. The malicious script was specifically designed to hit British Airways' infrastructure only.</p><br><p><span class="font-bold">The fallout was huge.</span> But it could have been worse. If a widely used third-party script is compromised and loaded from a third-party source, it could harm many different and interconnected systems. And just like that, websites all over the world can be serving malicious code. Such an attack is called a supply chain attack. Picture a digital domino effect, setting off trouble across the web globally.</p></div></div><div class="flex flex-col relative my-[32rem] h-auto w-full lg:px-24 px-4 sm:px-12 md:px-6 max-w-most mx-auto"><div class="relative w-full md:w-1/2 bg-black/90 rounded-lg p-10 flex flex-col items-center md:left-1/2 px-0 [&amp;>*]:px-10"><h3 class="text-2xl font-semibold font-lato mb-4 text-center">Step 4</h3><h2 class="text-3xl font-semibold font-lato mb-4 text-center">Stealing data</h2><p>It takes skill and dedication to pull this off. The style of the attack carries the trademark of the hacker group,<!-- --> <a href="https://darknetdiaries.com/episode/52/" rel="noopener referrer" target="_blank" class="border-b border-dotted underline text-white border-white">Magecart</a>, that a.o. perfected<!-- --> <a href="https://www.riskiq.com/wp-content/uploads/2019/06/Magecart-Background-JS-Injection-BPD.pdf" rel="noopener referrer" target="_blank" class="border-b border-dotted underline text-white border-white">the technique of sneaking bad bits of code into the digital mix</a>. Their favorite trick:<!-- --> <a href="https://darknetdiaries.com/episode/52/" rel="noopener referrer" target="_blank" class="border-b border-dotted underline text-white border-white">skimming credit cards from people buying online</a>. The trick is to stay under the radar as long as possible to optimize the result.</p><br><img alt="The script that caused the loss of data" loading="lazy" width="2090" height="1324" decoding="async" data-nimg="1" class="!px-0 w-full" style="color:transparent" src="/step_4_script_screenshot.webp"><br><p class="self-start"><a href="https://schoenbaum.medium.com/inside-the-breach-of-british-airways-how-22-lines-of-code-claimed-380-000-victims-8ce1582801a0" rel="noopener referrer" target="_blank" class="border-b border-dotted underline text-white border-white">The script that caused the loss of data and a look under the hood.</a></p><br><p>First, the code is waiting for the user to complete the payment confirmation on the check-out page. Once the button is clicked, the script grabs the payment and personal data entered in the form. Next, the stolen data is packed and sent to baways.com. This is done quietly in the background, so the customer won't notice. A wait of 500ms may be used to ensure the webpage keeps working as usual, so the customer doesn't realize something is wrong.</p><br><p>Can we blame the customer for being careless somehow? As a matter of fact, the malicious activity was designed to be invisible to users. The payment process appeared normal. There were no security warnings, pop-ups, or slowed performance. There were also no visible changes to the website. This made the attack particularly subtle.</p><br><p>It would have been extremely hard, if not impossible for customers to spot their data being stolen.</p></div></div></section><section class="bg-white w-full flex flex-col items-center text-lg sm:text-xl !leading-8"><div class="w-full px-10 sm:px-24 md:px-0 md:w-[38rem] py-16 max-w-most flex flex-col items-center"><h3 class="font-lato font-bold text-2xl mb-4 text-center">5-7 September 2018:</h3><h1 class="font-lato font-bold text-5xl mb-4 text-center">Neutralizing and informing</h1><p>When British Airways is<!-- --> <a href="https://www.theregister.com/2018/09/11/british_airways_website_scripts/" rel="noopener referrer" target="_blank" class="border-b border-dotted underline text-main-primary border-main-primary">notified of the breach by third party</a>, they acted swiftly. In just 90 minutes, they neutralized the malicious code. Then, 20 minutes later, they blocked access to the suspicious baways.com. They didn't stop there. They promptly reached out to the Information Commissioner's Office (ICO). Not only that, but they also contacted banks involved in the processing of the payments, and nearly half a million customers.</p><br><img alt="A screenshot of the email sent to notify British Airways customers of the leak" loading="lazy" width="3500" height="2252" decoding="async" data-nimg="1" style="color:transparent" src="/ba_email.webp"><br><p>A few days later, they notified an<!-- --> <a href="https://ico.org.uk/media/action-weve-taken/mpns/2618421/ba-penalty-20201016.pdf" rel="noopener referrer" target="_blank" class="border-b border-dotted underline text-main-primary border-main-primary">additional 39,480 customers</a> <!-- -->as mentioned in the ICO MNP (section 2.27) and beefed up their security. This included setting up multi-factor authentication (MFA) for all remote access accounts, which adds an extra security layer to protect login credentials.</p><br><p>The breach caught a lot of<!-- --> <a href="https://www.bbc.com/news/technology-45446529" rel="noopener referrer" target="_blank" class="border-b border-dotted underline text-main-primary border-main-primary">media attention</a> <!-- -->because of its scale.<!-- --> <a href="https://www.theguardian.com/business/2018/sep/06/british-airways-customer-data-stolen-from-its-website" rel="noopener referrer" target="_blank" class="border-b border-dotted underline text-main-primary border-main-primary">The Guardian reported</a> <!-- -->that about 380,000 payment cards had been compromised. Also, they reported no travel or passport details had been stolen. As more details emerged, British Airways<!-- --> <a href="https://www.bbc.com/news/uk-england-london-45440850" rel="noopener referrer" target="_blank" class="border-b border-dotted underline text-main-primary border-main-primary">kept up their communication</a>. British Airways' boss even apologized during<!-- --> <a href="https://www.bbc.com/news/uk-england-london-45440850" rel="noopener referrer" target="_blank" class="border-b border-dotted underline text-main-primary border-main-primary">a BBC interview</a>. He committed to making it right for everyone affected.</p><br><iframe width="540" height="304" class="w-full" src="https://www.youtube.com/embed/Jf5Q6s-Yv5M" title="BA Chief Apologises Over Hacking Of Travellers' Credit Card Details" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" referrerpolicy="strict-origin-when-cross-origin" allowfullscreen=""></iframe><p class="text-xs mt-4 w-full">Video from 7Edition on YouTube.</p><br></div></section><section class="w-full"><img alt="A paper cutout of the British Airways Chief on top of a paper cutout of a news headline that reads 'BA slapped with £183m fine over customer data stolen by hacker'" loading="lazy" width="3288" height="1849" decoding="async" data-nimg="1" class="w-full h-auto" style="color:transparent" src="/slapped_with_fine_cover.webp"></section><section class="bg-black w-full flex flex-col items-center text-lg sm:text-xl !leading-8"><div class="w-full px-10 sm:px-24 md:px-0 md:w-[38rem] py-16 max-w-most flex flex-col items-center text-white"><h2 class="font-bold font-lato text-5xl mt-16 text-center">Numbers Numbers</h2><br><p>It took time to get a clear picture of the exact impact of the breach. How many individuals were impacted? What specific data was actually exposed?<!-- --> <a href="https://ico.org.uk/media/action-weve-taken/mpns/2618421/ba-penalty-20201016.pdf" rel="noopener referrer" target="_blank" class="border-b border-dotted underline text-white border-white">The Penalty Notice of the Information Commissioner's Office (ICO) of 16 October 2020</a>, reports the cyberattack exposed personal data of about 429,612 individuals including:</p><br><ul class="list-[square] gap-4 pl-5 [&amp;>li]:mb-2"><li>full card details for 244,000 individuals</li><li>card and CVV for 77,000 individuals</li><li>card numbers only for 108,000 individuals</li><li>usernames and passwords of BA employee and administrator accounts</li><li>usernames and pins of up to 612 BA Executive Club accounts</li></ul></div></section><section class="px-4 w-full mx-auto text-white bg-main-900/10 text-lg sm:text-xl !leading-8 bg-gradient-to-b from-main-primary to-main-900 bg-no-repeat bg-fixed"><div class="py-[20rem] h-auto w-full flex flex-col items-center max-w-most mx-auto"><div class="relative w-full bg-black/80 rounded-lg p-10 flex flex-col items-center max-w-[42rem]"><div class="w-full mb-6"><img alt="The news headline that reads 'BA slapped with £183m fine over customer data stolen by hacker'" loading="lazy" width="900" height="300" decoding="async" data-nimg="1" class="rounded-sm" style="color:transparent" src="/ba_fine.webp"></div><h3 class="text-2xl mb-4 text-center">4 July 2019</h3><h2 class="text-3xl font-semibold font-lato mb-4 text-center">A £183.39 million fine</h2><p>A major news update occurred on July 4, 2019. The ICO decided to take serious action against British Airways. It announced a fine of about 1.5% of the airline's 2017 turnover, amounting to £183.39 million. It argued in detail about the failures to protect customer data and GDPR violations. GDPR stands for General Data Protection Regulation. This EU framework gives individuals more control over their personal data. It also tells organizations how to handle and safeguard customer data.</p><br><p>Now,<!-- --> <a href="https://gdpr.eu/fines/" rel="noopener referrer" target="_blank" class="border-b border-dotted underline text-white border-white">GDPR fines</a> <!-- -->collected from data breaches are not used to compensate the affected customers directly. Instead, they are primarily<!-- --> <a href="https://pogustgoodhead.com/high-court-in-london-granted-a-group-litigation-order-following-september-2018-british-airways-data-breach/" rel="noopener referrer" target="_blank" class="border-b border-dotted underline text-white border-white">passed on to the EU authorities and the UK Government.</a></p><hr class="border border-current w-1/2 mx-auto mb-6 mt-16" style="color:#CD210F"></div></div><div class="py-[20rem] h-auto w-full flex flex-col items-center max-w-most mx-auto"><div class="relative w-full bg-black/80 rounded-lg p-10 flex flex-col items-center max-w-[42rem]"><div class="w-full mb-6"><img alt="A news headline that reads 'BA settles class action lawsuit over 2018 data breach'" loading="lazy" width="900" height="300" decoding="async" data-nimg="1" class="rounded-sm" style="color:transparent" src="/litigation.webp"></div><h3 class="text-2xl mb-4 text-center">4 October 2019 - today</h3><h2 class="text-3xl font-semibold font-lato mb-4 text-center">Litigation for compensation</h2><p>So, about half a million customers felt left out in the cold and<!-- --> <a href="https://www.dailymail.co.uk/news/article-7539707/Half-million-British-Airways-customers-told-sue-airline-data-breach.html" rel="noopener referrer" target="_blank" class="border-b border-dotted underline text-white border-white">wanted compensation</a>. On October 4, 2019, a group of 6000 impacted<!-- --> <a href="https://pogustgoodhead.com/high-court-in-london-granted-a-group-litigation-order-following-september-2018-british-airways-data-breach/" rel="noopener referrer" target="_blank" class="border-b border-dotted underline text-white border-white">customers got the green light to sue British Airways</a> <!-- -->collectively. As a matter of fact, British Airways faced a number of<!-- --> <a href="https://www.bagroupaction.com/" rel="noopener referrer" target="_blank" class="border-b border-dotted underline text-white border-white">group litigation orders</a> <a href="https://www.independent.co.uk/travel/news-and-advice/british-airways-data-breach-compensation-b1786805.html" rel="noopener referrer" target="_blank" class="border-b border-dotted underline text-white border-white">to get compensation</a> <!-- -->throughout<!-- --> <a href="https://www.independent.co.uk/travel/news-and-advice/british-airways-data-breach-compensation-b1786805.html" rel="noopener referrer" target="_blank" class="border-b border-dotted underline text-white border-white">2021 by various law firms</a>. For instance, the law firm PGMBM represented over 16,000 victims and reached a confidential out-of-court settlement.<!-- --> <a href="https://pogustgoodhead.com/british-airways-data-breach-claim-settled-on-confidential-terms-2/" rel="noopener referrer" target="_blank" class="border-b border-dotted underline text-white border-white">Details of the settlement</a> <!-- -->were not disclosed. In a previous communication, PGMBM estimated<!-- --> <a href="https://pogustgoodhead.com/british-airways-data-breach-claim-becomes-biggest-of-its-kind-in-the-uk/" rel="noopener referrer" target="_blank" class="border-b border-dotted underline text-white border-white">damages of up to £2000 per claimant</a>. Another law Firm, Your Lawyer, also participated in the litigation: they referred to an expected average of<!-- --> <a href="https://www.thesun.co.uk/money/13665046/british-airways-data-hack-compensation/" rel="noopener referrer" target="_blank" class="border-b border-dotted underline text-white border-white">£6000 per claimant</a>.</p><br><p>Legal battles are complex and can be long-lasting. Also, they add to the financial and reputational harm of data breaches. And what is more, it looks like the financial impact from victims in class action suits might surpass the fines imposed by regulators.</p><br><div class="p-6 sm:p-10 border border-white">British Airways is not alone in this experience. Why not put class action waivers (US version of the UK group litigation order) in the small print of the terms and conditions? This is what happened in the case of the<!-- --> <a href="https://coverlink.com/case-study/marriott-data-breach/" rel="noopener referrer" target="_blank" class="border-b border-dotted underline text-white border-white">Marriott data breach case</a>, as well as a massive data breach in 2018. It argued that the class action waiver in their terms and conditions<!-- --> <a href="https://www.privacyworld.blog/2023/10/recent-marriott-data-breach-class-action-decision-underscores-the-importance-of-class-action-waivers/" rel="noopener referrer" target="_blank" class="border-b border-dotted underline text-white border-white">should prevent the class action group</a> <!-- -->from moving forward.<!-- --> <a href="https://www.privacyworld.blog/2023/10/recent-marriott-data-breach-class-action-decision-underscores-the-importance-of-class-action-waivers/" rel="noopener referrer" target="_blank" class="border-b border-dotted underline text-white border-white">Speaking of a lengthy case: the case is ongoing</a>.</div><hr class="border border-current w-1/2 mx-auto mb-6 mt-16" style="color:#305D9A"></div></div><div class="py-[20rem] h-auto w-full flex flex-col items-center max-w-most mx-auto"><div class="relative w-full bg-black/80 rounded-lg p-10 flex flex-col items-center max-w-[42rem]"><div class="w-full mb-6"><img alt="A news headline that reads 'British Airways is fined £20m by Information Commissioners Office after personal details of 400,000 customers was accessed by hackers in 2018 data breach'" loading="lazy" width="900" height="300" decoding="async" data-nimg="1" class="rounded-sm" style="color:transparent" src="/ba_fine_reduced.webp"></div><h3 class="text-2xl mb-4 text-center">16 October 2020</h3><h2 class="text-3xl font-semibold font-lato mb-4 text-center">The fine is reduced to £20 million</h2><p>Following negotiations,<!-- --> <a href="https://www.shlegal.com/insights/an-analysis-of-the-BA-Monetary-Penalty-Notice" rel="noopener referrer" target="_blank" class="border-b border-dotted underline text-white border-white">the ICO reduced the penalty to £20 million</a>. The negotiations assessed the impact of the breach, British Airways' cooperation and accountability, and the financial strain of the COVID-19 pandemic.</p><hr class="border border-current w-1/2 mx-auto mb-6 mt-16" style="color:#CD210F"></div></div></section><section class="bg-white w-full flex flex-col items-center text-lg sm:text-xl !leading-8"><div class="w-full px-10 sm:px-24 md:px-0 md:w-[38rem] py-16 max-w-most"><h1 class="font-lato font-bold text-5xl mb-8 text-center mt-16 text-main-800">Don't Be The Story</h1><p>The 2018 British Airways data breach was a real wake-up call. It shows how a single leaked credential opened up an internal network to various high-end attacks. Today, adoption of security tooling to prevent inbound attacks has never been as high. We're seeing an increase in adoption of security products focussed on supply chain attacks through registries like Node Package Manager (NPM). However browser side third party scripts are often still forgotten about or protected to the bare minimum required by compliance.</p><br><h3 class="font-lato font-semibold text-3xl mt-16 text-center text-balance text-main-800">Could you be next?</h3><br><p>Never say never. Attacks similar to the British Airways' attack happen regularly. Sites can easily be caught in the crossfire, for example<!-- --> <a href="https://www.wired.com/story/magecart-amazon-cloud-hacks/" rel="noopener referrer" target="_blank" class="border-b border-dotted underline text-main-primary border-main-primary">17,000 websites</a> <!-- -->were compromised as a result of a single exploit. It is never good enough to trust a source and not verify its behavior over time. Knowing the critical need for cybersecurity is a good start.</p><br><p>Consider the basics:</p><br><ul class="list-[square] gap-4 pl-5 [&amp;>li]:mb-2"><li>Pick safe 3rd party sources. Some 3rd party scripts are developed and offered by companies or external consultants that lack the necessary technical expertise. It's important to acknowledge potential risks; some companies may lack adequate preparation to address cyberattacks.</li><li>Monitor the scripts over time using specialized tooling that reviews content, not just the source. A one-time security review is not sufficient for a delivery method that can be fully dynamic.</li><li>Remove services if you no longer need them and do not run scripts on pages unless they serve a purpose there. Example: on the payment portal you may not need to embed third party advertisements.</li></ul><br><h3 class="font-lato font-semibold text-3xl text-center mt-16 text-balance text-main-800">New security standard for online payments</h3><br><p>Preventing attacks with compromised third-party scripts is tough. But even so, keeping customer data safe is a top priority. And talking about keeping credit card details safe? That's where the new Payment Card Industry Data Security Standard 4.0 (PCI DSS 40) comes in. This is a new set of rules created by the PCI Security Standards Council to keep debit and credit card transactions safe from data theft and fraud.</p><br><p>The PCI DSS 4.0 update requires organizations that take payments online, to maintain an inventory of all system components relevant to PCI DSS. This includes bespoke and custom software, as well as third-party scripts (section 6.4.1).</p><br><p>And there's more: forget about yearly checkups. Section 11.6.1 mandates obtaining a tamper monitoring system. Keeping payments safe involves constant reviews and updates of all the digital gear for online shopping.<!-- --> <b>From now on, the PCI DSS 4.0 wants a digital security guard in charge 24/7.</b></p></div></section><section class="bg-black text-white w-full flex flex-col items-center text-lg sm:text-xl !leading-8"><div class="w-full px-10 sm:px-24 md:px-0 md:w-[38rem] py-16 max-w-most mx-auto"><hr class="border border-main-400 text-main-400 w-1/2 mx-auto mt-4 mb-14"><h1 class="text-6xl font-lato font-semibold text-center text-balance">c/side to the rescue</h1><hr class="border border-main-400 text-main-400 w-1/2 mx-auto my-14"><p><a href="https://cside.dev/" rel="noopener referrer" target="_blank" class="border-b border-dotted underline text-white border-white">c/side</a> <!-- -->has rolled out a new and very elegant tool. It monitors, optimizes and secures all third party scripts running on your website. This solution makes sure that you are protected at all times by putting itself between your users and the third party service. If a third party serves a different payload to a user, in c/side you'll know about it.</p><br><p>Our free tier offers a range of basic features allowing you to meet PCI DSS 4.0 (section 6.4.3) compliance, as it lets you monitor your scripts. Explore our upgraded tiers for advanced detection methods and more fine grained insights.</p><br><p>Read our<!-- --> <a href="https://cside.dev/blog/pci-dss-40-complete-guide-and-steps" rel="noopener referrer" target="_blank" class="border-b border-dotted underline text-white border-white">full guide to PCI DSS 4.0 compliance here</a>.</p></div></section></article></main><script src="/_next/static/chunks/webpack-01145c95a45c76b0.js" async=""></script><script>(self.__next_f=self.__next_f||[]).push([0]);self.__next_f.push([2,null])</script><script>self.__next_f.push([1,"1:HL[\"/_next/static/media/4de1fea1a954a5b6-s.p.woff2\",\"font\",{\"crossOrigin\":\"\",\"type\":\"font/woff2\"}]\n2:HL[\"/_next/static/media/6d664cce900333ee-s.p.woff2\",\"font\",{\"crossOrigin\":\"\",\"type\":\"font/woff2\"}]\n3:HL[\"/_next/static/media/7ff6869a1704182a-s.p.woff2\",\"font\",{\"crossOrigin\":\"\",\"type\":\"font/woff2\"}]\n4:HL[\"/_next/static/media/886f446b96dc7734-s.p.woff2\",\"font\",{\"crossOrigin\":\"\",\"type\":\"font/woff2\"}]\n5:HL[\"/_next/static/media/e693e841d50dcf2f-s.p.woff2\",\"font\",{\"crossOrigin\":\"\",\"type\":\"font/woff2\"}]\n6:HL[\"/_next/static/css/ffacef45bdb1b8a5.css\",\"style\"]\n7:HL[\"/_next/static/css/86f3cfdf7682773b.css\",\"style\"]\n"])</script><script>self.__next_f.push([1,"8:I[9341,[],\"\"]\na:I[8600,[],\"ClientPageRoot\"]\nb:I[5608,[\"498\",\"static/chunks/498-f19ca715fb56e018.js\",\"931\",\"static/chunks/app/page-fb090dc4213ec22a.js\"],\"default\",1]\n13:I[3998,[],\"\"]\n14:I[6057,[],\"\"]\n15:I[9114,[\"185\",\"static/chunks/app/layout-3b7240064aa74026.js\"],\"GoogleAnalytics\"]\n17:I[2251,[],\"\"]\nc:T57c,M67.9518 6.20442C69.2724 5.7092 70.7276 5.7092 72.0482 6.20442L118.715 23.7044C120.992 24.5582 122.5 26.7347 122.5 29.1663V69.9997C122.5 90.1039 109.19 106.168 97.1746 116.681C91.0445 122.045 84.9418 126.238 80.3833 129.087C78.098 130.515 76.1852 131.616 74.8304 132.366C74.1526 132.741 73.6133 133.029 73.2356 133.227C73.0467 133.326 72.8981 133.403 72.7927 133.457C72.7721 133.468 72.7532 133.477 72.7359 133.486C72.7089 133.5 72.6861 133.512 72.6673 133.521L72.6295 133.54L72.617 133.546L72.6123 133.549C72.6105 133.55 72.6087 133.55 70 128.333C67.3913 133.55 67.3895 133.55 67.3877 133.549L67.383 133.546L67.3704 133.54L67.3327 133.521C67.3019 133.505 67.26 133.484 67.2073 133.457C67.1018 133.403 66.9533 133.326 66.7644 133.227C66.3867 133.029 65.8474 132.741 65.1696 132.366C63.8148 131.616 61.902 130.515 59.6167 129.087C55.0582 126.238 48.9555 122.045 42.8254 116.681C30.8102 106.168 17.5 90.1039 17.5 69.9997V29.1663C17.5 26.7347 19.0083 24.5582 21.2851 23.7044L67.9518 6.20442ZM70 128.333L67.3913 133.55C69.0335 134.372 70.9665 134.372 72.6087 133.55L70 128.333ZM70 121.699C71.1179 121.065 72.5474 120.227 74.2 119.194C78.3915 116.574 83.9556 112.746 89.4921 107.901C100.81 97.9979 110.833 84.8955 110.833 69.9997V33.2088L70 17.8963L29.1667 33.2088V69.9997C29.1667 84.8955 39.1898 97.9979 50.5079 107.901C56.0445 112.746 61.6085 116.574 65.8 119.194C67.4526 120.227 68.8821 121.065 70 121.699Zd:T440,M77.2309 57.6432C78.7988 57.623 81.5806 58.0982 85.7542 59.8312C90.4752 61.7916 93.7611 65.5356 95.9411 69.9051C98.1257 74.2836 99.1552 79.2096 99.3856 83.3329C99.5006 85.3915 99.4141 87.2113 99.1897 88.6283C99.0242 89.6738 98.8019 90.3775 98.6074 90.796C98.2027 90.2421 97.648 89.1364 97.0344 87.2008C92.3374 72.384 82.2188 61."])</script><script>self.__next_f.push([1,"6147 77.2309 57.6432ZM98.9388 91.1574C98.9388 91.1572 98.9366 91.1557 98.9321 91.1532C98.9366 91.1563 98.9388 91.1575 98.9388 91.1574ZM75.0437 59.785C74.5923 59.5526 74.1742 59.2609 73.845 58.8975C73.4821 58.4969 73.1472 57.9123 73.1678 57.19C73.1893 56.433 73.5909 55.8479 74.0659 55.4701C74.5191 55.1097 75.0759 54.8975 75.6337 54.7737C77.7976 54.2935 81.5655 54.8056 86.9181 57.0282C92.4909 59.3422 96.2479 63.7217 98.6569 68.55C101.061 73.3693 102.167 78.7153 102.416 83.1635C102.54 85.3906 102.452 87.4313 102.187 89.103C101.936 90.6926 101.486 92.2128 100.689 93.15C100.259 93.6562 99.5869 94.1474 98.685 94.1415C97.8158 94.1358 97.1293 93.6677 96.6451 93.1696C95.7065 92.2041 94.8899 90.4796 94.1412 88.118C89.5617 73.672 79.5179 63.2322 75.0437 59.785Ze:T442,M76.8156 62.1696C77.9181 62.9614 79.4867 64.4608 81.3929 67.0723C83.9019 70.5096 84.621 74.606 84.2718 78.6922C83.9218 82.7884 82.502 86.7812 80.8582 89.8495C80.0377 91.381 79.1797 92.648 78.4035 93.5618C78.017 94.0168 77.686 94.3422 77.421 94.5672C77.4384 93.9789 77.5569 93.081 77.8741 91.7905C80.9087 79.444 78.6545 67.6108 76.8156 62.1696ZM77.4894 95.343C77.4895 95.3429 77.4885 95.3403 77.4863 95.3355C77.4882 95.3408 77.4894 95.3432 77.4894 95.343ZM73.6373 62.2971C73.4079 61.9178 73.2256 61.5025 73.1427 61.067C73.0497 60.5787 73.0638 59.9421 73.4395 59.3635C73.8338 58.7563 74.4499 58.4821 75.0107 58.4107C75.544 58.3427 76.0779 58.4431 76.5566 58.6054C78.4061 59.2323 80.9437 61.3091 83.8443 65.2828C86.8988 69.4674 87.6887 74.3538 87.2959 78.9507C86.9039 83.5376 85.3306 87.9282 83.5336 91.2827C82.6336 92.9626 81.6594 94.4169 80.7167 95.5267C79.8276 96.5734 78.7965 97.5196 77.7429 97.8694C77.17 98.0596 76.3894 98.1334 75.6601 97.6841C74.9578 97.2515 74.644 96.5402 74.5063 95.9346C74.2405 94.7654 74.4241 93.1109 74.9267 91.0661C77.9767 78.6568 75.3399 66.7421 73.6373 62.2971Zf:T484,M80.6645 54.364C81.4388 53.7741 82.5829 53.0666 84.2235 52.3105C87.0838 50.9922 90.2126 51.1051 93.2357 52.0472C96.2663 52.9917 99.0846 54.7414 101.179 56.5156C102.223 57.4004 103.059 "])</script><script>self.__next_f.push([1,"58.2668 103.636 59.0065C103.662 59.0409 103.689 59.0749 103.714 59.1084C103.42 58.9887 103.077 58.8357 102.682 58.6414C94.2096 54.4748 85.4331 53.9857 80.6645 54.364ZM79.2573 55.8532C79.2587 55.8525 79.2649 55.8388 79.2718 55.8142C79.2594 55.8417 79.2559 55.8539 79.2573 55.8532ZM105.146 59.5071C105.146 59.507 105.144 59.5071 105.14 59.5075C105.144 59.5073 105.146 59.5071 105.146 59.5071ZM79.429 57.5568C79.0833 57.6762 78.7057 57.754 78.3182 57.7442C77.8647 57.7326 77.296 57.5928 76.8427 57.1404C75.8631 56.1627 76.3235 54.8668 76.663 54.253C77.4578 52.816 79.4909 51.1497 82.9531 49.5541C86.6889 47.8324 90.6319 48.0567 94.1387 49.1496C97.6379 50.2401 100.807 52.223 103.141 54.1999C104.31 55.1906 105.299 56.2044 106.029 57.1394C106.709 58.0114 107.325 59.0159 107.456 59.9652C107.527 60.4785 107.481 61.2112 106.937 61.8127C106.406 62.3988 105.69 62.5372 105.156 62.5429C104.136 62.5539 102.836 62.0994 101.343 61.365C92.3844 56.9594 83.0216 56.9966 79.429 57.5568Z10:T47e,M77.019 55.3424C77.2433 54.3951 77.4247 53.0622 77.4487 51.256C77.4906 48.1068 76.1159 45.2939 74.0264 42.9147C71.9317 40.5296 69.1876 38.6657 66.7153 37.4733C65.4824 36.8786 64.3513 36.4677 63.441 36.241C63.3986 36.2304 63.3569 36.2203 63.3159 36.2107C63.5449 36.431 63.8239 36.6819 64.162 36.9639C71.4126 43.0115 75.4265 50.8317 77.019 55.3424ZM76.2303 57.2333C76.2304 57.2318 76.2404 57.2205 76.26 57.2043C76.24 57.2268 76.2302 57.2349 76.2303 57.2333ZM62.3698 35.0648C62.3699 35.0648 62.3705 35.0665 62.3715 35.0697C62.3703 35.0664 62.3698 35.0648 62.3698 35.0648ZM74.604 57.7689C74.6354 58.1333 74.7177 58.5099 74.8842 58.8599C75.0791 59.2697 75.438 59.7324 76.0356 59.9627C77.327 60.4604 78.324 59.513 78.7467 58.9534C79.7367 57.6431 80.4328 55.1083 80.4835 51.2964C80.5383 47.1833 78.7307 43.6718 76.3069 40.9119C73.8883 38.158 70.7884 36.0682 68.0338 34.7396C66.6533 34.0737 65.3252 33.5824 64.1743 33.2958C63.1011 33.0286 61.9327 32.8735 61.0122 33.14C60.5145 33.2841 59.8634 33.6233 59.5353 34.3655C59.2156 35.0888 59.3801 35.7992 59.5917 36.2889C59.9964 37."])</script><script>self.__next_f.push([1,"2257 60.9401 38.2287 62.218 39.2946C69.8843 45.689 73.6556 54.2587 74.604 57.7689Z11:T484,M71.654 62.0138C70.7534 61.6443 69.4652 61.2568 67.6849 60.9508C64.581 60.4172 61.5878 61.3355 58.9113 63.0275C56.2282 64.7237 53.9584 67.1428 52.3942 69.3984C51.6142 70.5233 51.0315 71.5762 50.6653 72.4399C50.6483 72.4801 50.6318 72.5197 50.6159 72.5587C50.8693 72.367 51.1606 72.1306 51.492 71.8407C58.5984 65.6244 66.9498 62.8819 71.654 62.0138ZM73.3984 63.0884C73.3969 63.088 73.3873 63.0764 73.3744 63.0545C73.3935 63.0778 73.4 63.0887 73.3984 63.0884ZM49.3362 73.3141C49.3363 73.314 49.338 73.3137 49.3413 73.3132C49.3379 73.3139 49.3362 73.3141 49.3362 73.3141ZM73.6733 64.7784C74.0381 64.8043 74.423 64.7818 74.7947 64.6721C75.2298 64.5437 75.7429 64.2615 76.0638 63.7072C76.7572 62.5094 75.9772 61.3767 75.4906 60.8716C74.3511 59.6891 71.9562 58.6054 68.1991 57.9596C64.1451 57.2627 60.3943 58.4993 57.2896 60.462C54.1915 62.4205 51.6429 65.1558 49.9001 67.6689C49.0267 68.9284 48.3339 70.1634 47.871 71.2554C47.4393 72.2736 47.1035 73.4034 47.2229 74.3543C47.2874 74.8684 47.5207 75.5644 48.2025 76.0045C48.867 76.4333 49.5943 76.3818 50.1111 76.2494C51.0996 75.9961 52.2378 75.2207 53.4903 74.1251C61.0042 67.5523 70.058 65.1666 73.6733 64.7784Z12:T440,M72.5675 59.1333C72.0368 57.6578 70.6166 55.2191 67.5306 51.9179C64.0396 48.1836 59.3813 46.4187 54.5249 45.9086C49.6585 45.3975 44.6841 46.1602 40.7417 47.3898C38.7734 48.0037 37.0994 48.7227 35.851 49.4295C34.9298 49.9511 34.3487 50.406 34.025 50.7348C34.6856 50.9196 35.9156 51.0515 37.9434 50.9477C53.4666 50.1527 67.0995 55.854 72.5675 59.1333ZM33.5703 50.551C33.5705 50.551 33.5727 50.5526 33.5766 50.5559C33.5721 50.5528 33.5702 50.5511 33.5703 50.551ZM71.3283 61.9325C71.7042 62.2738 72.124 62.5631 72.5797 62.744C73.0821 62.9434 73.747 63.0522 74.4162 62.7797C75.1176 62.4942 75.5249 61.913 75.7122 61.3357C75.8909 60.7849 75.8944 60.189 75.8148 59.6232C75.506 57.4283 73.7056 54.079 69.7477 49.8452C65.627 45.4372 60.2084 43.4538 54.842 42.8902C49.4856 42.3276 44.0911 43.1659 39.838 "])</script><script>self.__next_f.push([1,"44.4924C37.7087 45.1565 35.8283 45.9545 34.3556 46.7884C32.955 47.5814 31.689 48.5354 31.0905 49.6103C30.7673 50.1908 30.5428 50.9923 30.8645 51.8348C31.1746 52.6469 31.8536 53.1257 32.4899 53.4047C33.7231 53.9452 35.6244 54.1055 38.0987 53.9788C53.2333 53.2037 66.5315 58.9506 71.3283 61.9325Z18:[]\n"])</script><script>self.__next_f.push([1,"0:[\"$\",\"$L8\",null,{\"buildId\":\"sS5y_1ZUEJMJP9KGcRdc_\",\"assetPrefix\":\"\",\"urlParts\":[\"\",\"\"],\"initialTree\":[\"\",{\"children\":[\"__PAGE__\",{}]},\"$undefined\",\"$undefined\",true],\"initialSeedData\":[\"\",{\"children\":[\"__PAGE__\",{},[[\"$L9\",[\"$\",\"$La\",null,{\"props\":{\"params\":{},\"searchParams\":{}},\"Component\":\"$b\"}],[[\"$\",\"link\",\"0\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/86f3cfdf7682773b.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}]]],null],null]},[[[[\"$\",\"link\",\"0\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/ffacef45bdb1b8a5.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}]],[\"$\",\"html\",null,{\"lang\":\"en\",\"children\":[[\"$\",\"body\",null,{\"className\":\"__variable_14e21f __variable_1dd84e min-h-dvh relative overflow-x-clip\",\"children\":[[\"$\",\"div\",null,{\"className\":\"sticky top-0 left-0 w-screen bg-[#D40F0F] h-14 max-h-14 z-10\",\"children\":[\"$\",\"h1\",null,{\"className\":\"max-w-most w-full mx-auto px-4 py-3.5 flex flex-row items-center text-white gap-2 font-extrabold text-lg font-sans whitespace-nowrap font-lato\",\"children\":[[\"$\",\"svg\",null,{\"width\":\"497\",\"height\":\"140\",\"viewBox\":\"0 0 497 140\",\"fill\":\"none\",\"xmlns\":\"http://www.w3.org/2000/svg\",\"preserveAspectRatio\":\"xMinyMid\",\"className\":\"h-7 -mt-0.5 w-24\",\"children\":[[\"$\",\"path\",null,{\"d\":\"M439.471 79.423C439.471 60.5608 450.633 48.5068 468.267 48.5068C482.777 48.5068 496.058 58.1053 496.393 79.6463V82.9946H456.436C457.329 91.4771 461.57 96.6112 468.267 96.6112C472.955 96.6112 476.973 93.7093 478.87 88.7984L495.5 90.4725C492.263 102.415 481.549 110.339 468.267 110.339C450.633 110.339 439.471 98.2853 439.471 79.423ZM456.883 73.1728H479.317C477.866 66.0297 473.624 62.2349 468.267 62.2349C462.24 62.2349 458.222 66.2529 456.883 73.1728Z\",\"fill\":\"currentColor\"}],[\"$\",\"path\",null,{\"d\":\"M432.484 29.7561V109H417.304L416.97 100.406C413.733 106.768 408.487 110.339 400.451 110.339C386.388 110.339 377.906 97.6157 377.906 79.4231C377.906 61.2305 386.388 48.5068 400.451 48.5068C407.929 48.5068 413.063 51.9667 416.746 58.3286V29.7561H432.484ZM394.536 79.4231C394.536 89.3565 398.554 96.6112 406.255 96.6112C413.845 96.6112 417.863 89.2448 417.863 79.4231C417.863 69.4897 413.845 62.1233 406.255 62.1233C398.554 62.1233 394.536 69.3781 394.536 79.4231Z\",\"fill\":\"currentColor\"}],[\"$\",\"path\",null,{\"d\":\"M357.078 49.8461V95.0486H374.936V109H320.135V95.0486H341.229V63.7975H321.586V49.8461H357.078ZM341.118 42.9262V29.7561H356.966V42.9262H341.118Z\",\"fill\":\"currentColor\"}],[\"$\",\"path\",null,{\"d\":\"M292.276 69.0432C291.494 64.3556 288.146 62.2349 283.235 62.2349C278.771 62.2349 275.422 64.0207 275.757 67.369C276.092 71.0522 280.556 72.1683 288.927 74.0657C300.981 76.6328 309.91 82.9946 309.91 92.7048C309.91 104.312 300.2 110.339 285.244 110.339C270.288 110.339 258.904 102.192 258.011 89.6913L275.087 89.0216C275.534 93.9325 279.664 96.6112 285.244 96.6112C290.043 96.6112 293.28 95.3834 293.28 92.2583C293.28 89.0216 288.816 87.6823 281.114 85.7849C268.056 82.6598 259.127 76.856 259.127 67.2574C259.127 55.8731 269.842 48.5068 284.24 48.5068C297.298 48.5068 307.79 56.2079 309.575 68.3736L292.276 69.0432Z\",\"fill\":\"currentColor\"}],[\"$\",\"path\",null,{\"d\":\"M207.606 119.045L240.643 26.631H255.822L222.785 119.045H207.606Z\",\"fill\":\"currentColor\"}],[\"$\",\"path\",null,{\"d\":\"M182.984 73.6193C181.979 66.9226 177.515 62.2349 171.823 62.2349C164.233 62.2349 159.769 68.82 159.769 79.423C159.769 90.0261 164.233 96.6112 171.823 96.6112C177.85 96.6112 182.314 91.9235 183.207 85.1152L199.837 85.7849C198.386 100.406 186.779 110.339 171.823 110.339C154.188 110.339 143.139 98.2853 143.139 79.423C143.139 60.5608 154.188 48.5068 171.823 48.5068C186.332 48.5068 198.163 58.3286 199.614 72.7264L182.984 73.6193Z\",\"fill\":\"currentColor\"}],[\"$\",\"path\",null,{\"fillRule\":\"evenodd\",\"clipRule\":\"evenodd\",\"d\":\"$c\",\"fill\":\"currentColor\"}],[\"$\",\"mask\",null,{\"id\":\"mask0_373_1224\",\"style\":{\"maskType\":\"alpha\"},\"maskUnits\":\"userSpaceOnUse\",\"x\":\"17\",\"y\":\"5\",\"width\":\"106\",\"height\":\"130\",\"children\":[\"$\",\"path\",null,{\"fillRule\":\"evenodd\",\"clipRule\":\"evenodd\",\"d\":\"M72.0482 6.20442C70.7276 5.7092 69.2724 5.7092 67.9518 6.20442L21.2851 23.7044C19.0083 24.5582 17.5 26.7347 17.5 29.1663V69.9997C17.5 90.1039 30.8102 106.168 42.8254 116.681C48.9555 122.045 55.0582 126.238 59.6167 129.087C61.902 130.515 63.8148 131.616 65.1696 132.366C65.8474 132.741 66.3867 133.029 66.7644 133.227C66.9533 133.326 67.1018 133.403 67.2073 133.457C67.26 133.484 67.3019 133.505 67.3327 133.521L67.3704 133.54L67.383 133.546L67.3877 133.549C67.3895 133.55 67.3913 133.55 69.9999 128.333L67.3913 133.55C69.0335 134.372 70.9665 134.372 72.6087 133.55L69.9999 128.333C72.6086 133.55 72.6105 133.55 72.6123 133.549L72.617 133.546L72.6295 133.54L72.6673 133.521L72.7359 133.486L72.7927 133.457C72.8982 133.403 73.0467 133.326 73.2356 133.227C73.6133 133.029 74.1526 132.741 74.8304 132.366C76.1852 131.616 78.098 130.515 80.3833 129.087C84.9418 126.238 91.0445 122.045 97.1746 116.681C109.19 106.168 122.5 90.1039 122.5 69.9997V29.1663C122.5 26.7347 120.992 24.5582 118.715 23.7044L72.0482 6.20442Z\",\"fill\":\"currentColor\"}]}],[\"$\",\"g\",null,{\"mask\":\"url(#mask0_373_1224)\",\"children\":[[\"$\",\"path\",null,{\"d\":\"M63.0073 119.741C59.4887 96.1154 68.0841 77.2661 75.6192 66.0522C76.187 65.2072 76.1232 64.0867 75.4471 63.3256C74.5909 62.3617 73.0903 62.3392 72.2277 63.2973C55.9914 81.329 49.9015 100.332 47.0801 116.958C46.8779 118.15 47.5412 119.314 48.6616 119.767L54.2866 122.043C54.4968 122.128 54.7173 122.185 54.9423 122.213L60.0533 122.847C61.8114 123.065 63.2682 121.494 63.0073 119.741Z\",\"fill\":\"currentColor\"}],[\"$\",\"path\",null,{\"fillRule\":\"evenodd\",\"clipRule\":\"evenodd\",\"d\":\"M76.6824 62.2279C75.188 60.5454 72.5374 60.4827 70.9989 62.1913C54.4898 80.526 48.3055 99.8555 45.4501 116.681C45.1156 118.653 46.215 120.56 48.0412 121.299L53.6662 123.575C54.01 123.715 54.3705 123.808 54.7385 123.854L54.9419 122.213L54.7385 123.854L59.8495 124.487C62.7539 124.848 65.0545 122.27 64.6417 119.498C61.2038 96.4139 69.5965 77.9784 76.9907 66.9741C77.9694 65.5176 77.8701 63.5651 76.6824 62.2279ZM73.4556 64.4033C73.6424 64.1958 73.9931 64.1781 74.2109 64.4233C74.3753 64.6084 74.4038 64.8968 74.2469 65.1304C66.571 76.5539 57.7727 95.817 61.372 119.985C61.4811 120.718 60.8682 121.283 60.2562 121.207L55.1453 120.573C55.0632 120.563 54.9829 120.542 54.9062 120.511L54.2862 122.043L54.9062 120.511L49.2812 118.235C48.8666 118.067 48.6394 117.647 48.7093 117.235C51.4966 100.809 57.4921 82.132 73.4556 64.4033Z\",\"fill\":\"currentColor\"}],[\"$\",\"path\",null,{\"d\":\"M95.5877 87.6594C90.8551 72.7306 80.4575 61.9938 75.8503 58.4915C72.7212 56.9925 75.783 54.0477 86.336 58.4297C106.924 66.9785 101.503 106.32 95.5877 87.6594Z\",\"fill\":\"currentColor\"}],[\"$\",\"path\",null,{\"fillRule\":\"evenodd\",\"clipRule\":\"evenodd\",\"d\":\"$d\",\"fill\":\"currentColor\"}],[\"$\",\"path\",null,{\"d\":\"M76.4001 91.4283C79.5707 78.5285 76.7878 66.1773 74.9999 61.6142C73.397 59.1526 76.9149 58.3639 82.6184 66.1776C93.7453 81.4212 72.4369 107.553 76.4001 91.4283Z\",\"fill\":\"currentColor\"}],[\"$\",\"path\",null,{\"fillRule\":\"evenodd\",\"clipRule\":\"evenodd\",\"d\":\"$e\",\"fill\":\"currentColor\"}],[\"$\",\"path\",null,{\"d\":\"M102.012 60.0032C92.5991 55.3739 82.777 55.4601 79.0426 56.0819C76.9392 56.9131 76.8261 54.0488 83.5882 50.9323C96.7804 44.8523 113.779 65.7898 102.012 60.0032Z\",\"fill\":\"currentColor\"}],[\"$\",\"path\",null,{\"fillRule\":\"evenodd\",\"clipRule\":\"evenodd\",\"d\":\"$f\",\"fill\":\"currentColor\"}],[\"$\",\"path\",null,{\"d\":\"M63.19 38.1293C71.2456 44.8483 75.1589 53.8576 76.1086 57.5224C76.204 59.782 78.8671 58.7213 78.9662 51.2762C79.1595 36.7516 53.1206 29.7304 63.19 38.1293Z\",\"fill\":\"currentColor\"}],[\"$\",\"path\",null,{\"fillRule\":\"evenodd\",\"clipRule\":\"evenodd\",\"d\":\"$10\",\"fill\":\"currentColor\"}],[\"$\",\"path\",null,{\"d\":\"M52.4915 72.9829C60.3869 66.0764 69.8971 63.6191 73.6653 63.2538C75.912 63.5127 75.2805 60.7166 67.9424 59.4552C53.6265 56.9943 42.6223 81.616 52.4915 72.9829Z\",\"fill\":\"currentColor\"}],[\"$\",\"path\",null,{\"fillRule\":\"evenodd\",\"clipRule\":\"evenodd\",\"d\":\"$11\",\"fill\":\"currentColor\"}],[\"$\",\"path\",null,{\"d\":\"M38.0206 52.4632C53.6611 51.6623 67.3614 57.6364 72.2565 60.7236C74.7573 63.1286 76.4419 59.2288 68.6387 50.8816C53.4154 34.5969 18.47 53.4644 38.0206 52.4632Z\",\"fill\":\"currentColor\"}],[\"$\",\"path\",null,{\"fillRule\":\"evenodd\",\"clipRule\":\"evenodd\",\"d\":\"$12\",\"fill\":\"currentColor\"}]]}]]}],\"SPECIAL REPORT\"]}]}],[\"$\",\"$L13\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L14\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":[[\"$\",\"title\",null,{\"children\":\"404: This page could not be found.\"}],[\"$\",\"div\",null,{\"style\":{\"fontFamily\":\"system-ui,\\\"Segoe UI\\\",Roboto,Helvetica,Arial,sans-serif,\\\"Apple Color Emoji\\\",\\\"Segoe UI Emoji\\\"\",\"height\":\"100vh\",\"textAlign\":\"center\",\"display\":\"flex\",\"flexDirection\":\"column\",\"alignItems\":\"center\",\"justifyContent\":\"center\"},\"children\":[\"$\",\"div\",null,{\"children\":[[\"$\",\"style\",null,{\"dangerouslySetInnerHTML\":{\"__html\":\"body{color:#000;background:#fff;margin:0}.next-error-h1{border-right:1px solid rgba(0,0,0,.3)}@media (prefers-color-scheme:dark){body{color:#fff;background:#000}.next-error-h1{border-right:1px solid rgba(255,255,255,.3)}}\"}}],[\"$\",\"h1\",null,{\"className\":\"next-error-h1\",\"style\":{\"display\":\"inline-block\",\"margin\":\"0 20px 0 0\",\"padding\":\"0 23px 0 0\",\"fontSize\":24,\"fontWeight\":500,\"verticalAlign\":\"top\",\"lineHeight\":\"49px\"},\"children\":\"404\"}],[\"$\",\"div\",null,{\"style\":{\"display\":\"inline-block\"},\"children\":[\"$\",\"h2\",null,{\"style\":{\"fontSize\":14,\"fontWeight\":400,\"lineHeight\":\"49px\",\"margin\":0},\"children\":\"This page could not be found.\"}]}]]}]}]],\"notFoundStyles\":[]}]]}],[\"$\",\"$L15\",null,{\"gaId\":\"G-7R0Z0ZSXRF\"}]]}]],null],null],\"couldBeIntercepted\":false,\"initialHead\":[null,\"$L16\"],\"globalErrorComponent\":\"$17\",\"missingSlots\":\"$W18\"}]\n"])</script><script>self.__next_f.push([1,"16:[[\"$\",\"meta\",\"0\",{\"name\":\"viewport\",\"content\":\"width=device-width, initial-scale=1\"}],[\"$\",\"meta\",\"1\",{\"charSet\":\"utf-8\"}],[\"$\",\"title\",\"2\",{\"children\":\"The Third-Party Script Breach That Shook The World\"}],[\"$\",\"meta\",\"3\",{\"name\":\"description\",\"content\":\"The British Airways data breach of 2018\"}],[\"$\",\"link\",\"4\",{\"rel\":\"author\",\"href\":\"https://cside.dev\"}],[\"$\",\"meta\",\"5\",{\"name\":\"author\",\"content\":\"c/side\"}],[\"$\",\"meta\",\"6\",{\"name\":\"creator\",\"content\":\"c/side\"}],[\"$\",\"meta\",\"7\",{\"property\":\"og:title\",\"content\":\"The Third-Party Script Breach That Shook The World\"}],[\"$\",\"meta\",\"8\",{\"property\":\"og:description\",\"content\":\"The British Airways data breach of 2018\"}],[\"$\",\"meta\",\"9\",{\"property\":\"og:image\",\"content\":\"https://baways.com/hero.webp\"}],[\"$\",\"meta\",\"10\",{\"name\":\"twitter:card\",\"content\":\"summary_large_image\"}],[\"$\",\"meta\",\"11\",{\"name\":\"twitter:site\",\"content\":\"@site\"}],[\"$\",\"meta\",\"12\",{\"name\":\"twitter:creator\",\"content\":\"@csideai\"}],[\"$\",\"meta\",\"13\",{\"name\":\"twitter:title\",\"content\":\"The Third-Party Script Breach That Shook The World\"}],[\"$\",\"meta\",\"14\",{\"name\":\"twitter:description\",\"content\":\"The British Airways data breach of 2018\"}],[\"$\",\"meta\",\"15\",{\"name\":\"twitter:image\",\"content\":\"https://baways.com/hero.webp\"}],[\"$\",\"link\",\"16\",{\"rel\":\"icon\",\"href\":\"/favicon.ico\",\"type\":\"image/x-icon\",\"sizes\":\"48x48\"}],[\"$\",\"meta\",\"17\",{\"name\":\"next-size-adjust\"}]]\n9:null\n"])</script><script id="_next-ga-init" data-nscript="afterInteractive">
          window['dataLayer'] = window['dataLayer'] || [];
          function gtag(){window['dataLayer'].push(arguments);}
          gtag('js', new Date());

          gtag('config', 'G-7R0Z0ZSXRF');</script><script src="https://www.googletagmanager.com/gtag/js?id=G-7R0Z0ZSXRF" id="_next-ga" data-nscript="afterInteractive"></script><next-route-announcer style="position: absolute;"></next-route-announcer></body></html>