[dbm44]

Does seem a very large reduction in the fine, even allowing for current pandemic issues.

Of course if BA had been more security conscious and actually checked their third party JavaScript files regularly, perhaps using https://ScriptScanner.com ( full disclosure it's my app), then they would have caught the hack a lot quicker.

This would have greatly reduced the fine and the distress caused to their customers having to cancel their cards.

[Nextgrid]

> checked their third party JavaScript files regularly

Or used subresource integrity to prevent any unauthorized JS from loading. Or just not loaded third-party JS on the checkout page to begin with.

[dbm44]

Agreed.

Very poor form for a company of BA's size to have third party JavaScript on the checkout page

[makomk]

As far as anyone's been able to tell, I think the third party JavaScript files were hosted on the same BA server as the website itself, so subresource integrity wouldn't help - the hacker could just change the tags loading the JS so that the integrity checks passed.

[dkdk8283]

If this is true then they should’ve moved JS to a CDN or something and used SRI.

[dghf]

> if BA had been more security conscious and actually checked their third party JavaScript files regularly

Or not stored credit-card details in plain text.