RiskIQ researchers found evidence of code amounting to the online equivalent of a card skimming device present on the BA website nearly a week before the attack over August 21 through September 5.
According to RiskIQ, the suspect code was active from August 15 - six days before the first transactions were compromised.
The firm though said it was likely the criminals behind the attack “likely had access to the British Airways site before the reported start date of the attack - possibly long before”.
BA has said payments made through its website and mobile app were compromised between 10.58pm on August 21 and 9.45pm on September 5.
Alex Cruz, chief executive of BA, has since confirmed details of names, addresses, email addresses, card numbers, expiry dates and - critically - CVV codes were “stolen”.
While BA has so far declined to give a detailed, technical explanation of the attack and how it was performed, in an interview with BBC Radio 4’s Today Show last week, Cruz intimated he could do so.
The technicalities of the theft have so far centred around Cruz and BA’s confirmation that among the stolen data was customers’ CVV codes - the three-digit security code on the back of every major credit and debit card.
Retailers are prohibited, under PCI security standards, from storing CVV codes at any stage of a transaction, leading analysts like RiskIQ to believe the theft may have been less of a data hack and more of a data intervention while it is in transit between BA and the consumer.
Cruz though reiterated in the Today interview the attack had compromised BA’s systems, leading RiskIQ to believe those responsible for the theft would have had access to BA’s systems.
