Top 5 Global Airline Safeguards Customer Data Against Client-side Data Breaches

This global airline used open source libraries and third-party code to build its website. The security team lacked visibility into the behavior of client-side code. This made it difficult to catch and fix script vulnerabilities, which could be exploited to conduct digital skimming and Magecart attacks that captured users’ credit card numbers, CVV codes, and other sensitive PII.

The airline had seen numerous high-profile Magecart attacks in the news, including an attack in 2018 on British Airways that resulted in some 380,000 users’ credit card details stolen and more than $20 million in fines for regulatory noncompliance. This airline knew it needed a solution to protect itself and its customers.

The airline needed a real-time client-side security solution that could detect risks in first-, third- and nth-party code across on their site. They realized that static scanning alone would be ineffective in finding and stopping client-side attacks, and a content security policy (CSP) solution would be too complex to manage.

After evaluating multiple solutions, the airline selected Client-side Defense to protect their website from digital skimming, formjacking and Magecart attacks and help ensure data privacy compliance. There were several factors in their decision:

• 24/7/365 script monitoring: Client-side Defense runs during every user session, providing robust real-time visibility into all first-, third- and nth-party scripts running on your site, all downstream dependencies and every action taken in users' browsers. The solution provides rich insights into JavaScript activity over time, including how scripts are interacting, additional scripts in use and any exposure details. 

• Comprehensive client-side mitigation: Client-side Defense leverages policy-based script management and granular JavaScript blocking to mitigate risky scripts. This multilayered protection lets security teams both block specific actions in a script without blocking the full script, and prevent unwanted scripts from loading at all. 

• Easy to deploy and integrate: The airline was easily able to integrate Client-side Defense by adding a lightweight JavaScript Sensor to their page template. They did not have to modify their website architecture or content delivery networks (CDN), which saved time, money, and hassle.
• Behavior-based learning: Client-side Defense continuously collects signals from the client side and identifies behavioral anomalies such as scripts loaded from a new domain, modifications to the page, scripts accessing sensitive input fields, communication with malicious domains, and known vulnerabilities in third-party scripts. These anomalies trigger prioritized incidents that are sent to the airline’s monitoring systems.
• No impact to user experience: The Sensor runs asynchronously on the site, which preserves user experience. The application development teams at the airline are able to continue innovating with confidence while the information security teams have full visibility into the entire supply chain of website scripts.
• Actionable insights: The Client-side Defense dashboard offers an at-a-glance overview and actionable recommendations based on threat research to help teams quickly prioritize incidents, so they can mitigate client-side supply chain attacks and prevent compliance violations.