RiskIQ researchers found evidence of code amounting to the online equivalent of a card skimming device present on the BA website nearly a week before the attack over August 21 through September 5.
According to RiskIQ, the suspect code was active from August 15 - six days before the first transactions were compromised.
The firm though said it was likely the criminals behind the attack “likely had access to the British Airways site before the reported start date of the attack - possibly long before”.
BA has said payments made through its website and mobile app were compromised between 10.58pm on August 21 and 9.45pm on September 5.
Alex Cruz, chief executive of BA, has since confirmed details of names, addresses, email addresses, card numbers, expiry dates and - critically - CVV codes were “stolen”.
While BA has so far declined to give a detailed, technical explanation of the attack and how it was performed, in an interview with BBC Radio 4’s Today Show last week, Cruz intimated he could do so.
The technicalities of the theft have so far centred around Cruz and BA’s confirmation that among the stolen data was customers’ CVV codes - the three-digit security code on the back of every major credit and debit card.
Retailers are prohibited, under PCI security standards, from storing CVV codes at any stage of a transaction, leading analysts like RiskIQ to believe the theft may have been less of a data hack and more of a data intervention while it is in transit between BA and the consumer.
Cruz though reiterated in the Today interview the attack had compromised BA’s systems, leading RiskIQ to believe those responsible for the theft would have had access to BA’s systems.
“Since 2016, RiskIQ has reported on the use of web-based card skimmers operated by the threat group Magecart,” said the firm in a research note, issued on Tuesday (September 11).
“Traditionally, criminals use devices known as card skimmers — devices hidden within credit card readers on ATMs, fuel pumps, and other machines people pay for with credit cards every day — to steal credit card data for the criminal to later collect and either use themselves or sell to other parties. Magecart uses a digital variety of these devices.
“Magecart injects scripts designed to steal sensitive data that consumers enter into online payment forms on e-commerce websites directly or through compromised third-party suppliers used by these sites.
“Recently, Magecart operatives placed one of these digital skimmers on Ticketmaster websites through the compromise of a third-party functionality resulting in a high-profile breach of Ticketmaster customer data.
“Based on recent evidence, Magecart has now set their sights on British Airways, the largest airline in the UK.”
The group added: “As we’ve seen in this attack, Magecart set up custom, targeted infrastructure to blend in with the British Airways website specifically and avoid detection for as long as possible.
“While we can never know how much reach the attackers had on the British Airways servers, the fact that they were able to modify a resource for the site tells us the access was substantial, and the fact they likely had access long before the attack even started is a stark reminder about the vulnerability of web-facing assets.”
A British Airways spokesperson said: “As this is a criminal investigation, we are unable to comment on speculation.”
The theft is being investigated by the National Crime Agency, which said specialist officers from its National Cyber Crime Unit were working with BA to “gain a better understanding of the incident”.
“Our investigations into these types of incidents are often complex and take some time before the full details can be established,” said the NCA in a statement.
“We know ’opportunist’ criminals often use incidents like this to conduct secondary fraud attacks.
"Anyone who thinks they may be affected should remain vigilant of potential fraudsters seeking access to personal details. Any suspicious activity should be reported to Action Fraud.”