[Nextgrid]

> checked their third party JavaScript files regularly

Or used subresource integrity to prevent any unauthorized JS from loading. Or just not loaded third-party JS on the checkout page to begin with.

[dbm44]

Agreed.

Very poor form for a company of BA's size to have third party JavaScript on the checkout page

[makomk]

As far as anyone's been able to tell, I think the third party JavaScript files were hosted on the same BA server as the website itself, so subresource integrity wouldn't help - the hacker could just change the tags loading the JS so that the integrity checks passed.

[dkdk8283]

If this is true then they should’ve moved JS to a CDN or something and used SRI.