Incident Types: The types of cybersecurity incidents that have occurred include Data Leak, Cyber Attack and Breach.

Detection and Response: The company detects and responds to cybersecurity incidents through an communication strategy with immediately contacted customers when the extent of the breach became clear and advised them to contact their bank or credit card provider., and containment measures with recommended: deploy content security policy (csp) in report-only mode, containment measures with recommended: implement subresource integrity (sri) for third-party scripts, containment measures with recommended: isolate and remove malicious scripts, containment measures with recommended: disable compromised third-party integrations, and remediation measures with recommended: conduct comprehensive script audits, remediation measures with recommended: deploy client-side monitoring tools (e.g., rasp, web exposure management), remediation measures with recommended: enforce nonces for inline scripts instead of 'unsafe-inline', remediation measures with recommended: update pci dss 4.0.1 controls for client-side risks, and recovery measures with recommended: develop client-side incident playbooks, recovery measures with recommended: implement automated script inventory tools, recovery measures with recommended: enhance customer communication templates for breaches, and adaptive behavioral waf with recommended: supplement traditional wafs with client-side protection, and enhanced monitoring with recommended: real-time javascript execution monitoring, and incident response plan activated with yes (customer notifications initiated), and communication strategy with customer notifications sent in late november 2025..

Common Attack Types: The most common types of attacks the company has faced is Breach.

Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Gateway between the airline and a payment processor, Compromised third-party scripts (e.g., Polyfill.io, chat widgets)Shadow scripts dynamically loaded without approvalVendor supply chain vulnerabilities (e.g., customer support tools) and Compromised third-party supplier.

Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Credit Card Numbers, Expiry Dates, Security Codes, Names, Street And Email Addresses, , Email Address, Telephone Numbers, Ba Membership Numbers, First And Last Name, Booking Reference, Itinerary, Flight Number, Flight Times, Seat Number, , Personal Information, , Payment Card Information, Personal Information, , Payment Card Data (Card Numbers, Cvv, Expiry Dates), Authentication Tokens, Session Cookies, Pii From Checkout Forms (Names, Addresses, Emails), , Personal Information, Loyalty Program Data and .

Incident Response Plan: The company's incident response plan is described as Yes (customer notifications initiated).

Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Recommended: Conduct comprehensive script audits, Recommended: Deploy client-side monitoring tools (e.g., RASP, Web Exposure Management), Recommended: Enforce nonces for inline scripts instead of 'unsafe-inline', Recommended: Update PCI DSS 4.0.1 controls for client-side risks, .

Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by recommended: deploy content security policy (csp) in report-only mode, recommended: implement subresource integrity (sri) for third-party scripts, recommended: isolate and remove malicious scripts, recommended: disable compromised third-party integrations and .

Data Recovery from Ransomware: The company recovers data encrypted by ransomware through Recommended: Develop client-side incident playbooks, Recommended: Implement automated script inventory tools, Recommended: Enhance customer communication templates for breaches, .

Key Lessons Learned: The key lessons learned from past incidents are Client-side attacks bypass traditional WAFs/IDS, requiring specialized monitoring.,Third-party scripts introduce significant supply chain risk, especially during high-traffic periods.,Encrypted traffic (HTTPS) obscures data exfiltration from client-side attacks.,Development freezes during holidays delay patching, exacerbating vulnerabilities.,Shadow scripts and dynamic code behavior evade static analysis tools.,Compliance frameworks (e.g., PCI DSS 4.0.1) now emphasize client-side risks but lack prescriptive guidance.

Implemented Recommendations: The company has implemented the following recommendations to improve cybersecurity: Category: Organizational, , Category: Incident Response, , Category: Detection & Monitoring, , Category: Compliance, , Category: Preventive Measures and .

Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: California Office of the Attorney GeneralDate Accessed: 2018-11-21, and Source: Washington State Office of the Attorney GeneralDate Accessed: 2018-11-21, and Source: Cloudflare Holiday Season Traffic Report 2024, and Source: British Airways Breach Post-Mortem (2018), and Source: Ticketmaster Customer Support Chat Breach Analysis (2019), and Source: Polyfill.io Supply Chain Attack Report (2024), and Source: Cisco Magecart Incident Disclosure (September 2024), and Source: PCI DSS 4.0.1 Client-Side Security Guidelines, and Source: Iberia Airlines customer notification (late November 2025).

Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Immediately contacted customers when the extent of the breach became clear and advised them to contact their bank or credit card provider. and Customer notifications sent in late November 2025.

Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Advised customers to contact their bank or credit card provider and follow their recommended advice., E-Commerce Platforms: Audit Third-Party Scripts Before Holiday Season., Payment Processors: Monitor For Fraud Spikes Linked To Client-Side Skimming., Regulators: Clarify Client-Side Protection Expectations In Pci Dss/Gdpr., Security Vendors: Develop Integrated Server-Side + Client-Side Monitoring Solutions., Monitor Payment Card Statements For Unauthorized Transactions., Use Virtual Cards Or Payment Tokens For Online Holiday Shopping., Report Suspicious Checkout Behavior (E.G., Unexpected Redirects, Additional Form Fields)., Check Browser Extensions For Malicious Script Injection Risks., and Customers notified of potential phishing risks and advised to monitor for suspicious activity.

Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Recommended: Real-time JavaScript execution monitoring.

Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Mandate Csp/Sri Implementation For All Web Properties., Integrate Client-Side Monitoring Into Soc Operations., Establish Third-Party Script Governance Programs With Risk Tiering., Automate Script Inventory And Change Detection., Update Incident Response Plans To Include Client-Side Breach Scenarios., Advocate For Clearer Regulatory Guidance On Client-Side Protections., .

Most Recent Incident Detected: The most recent incident detected was on 2018-11-21.

Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on November 2025.

Most Significant Data Compromised: The most significant data compromised in an incident were Credit card numbers, Expiry dates, Security codes, Names, Street and email addresses, , email address, telephone numbers, BA membership numbers, first and last name, booking reference, itinerary, flight number, flight times, seat number, , Personal Information of Employees, , Payment card information, Personal information, , Payment card details (e.g., 380,000 records in British Airways breach), Authentication tokens, Session cookies, Personally Identifiable Information (PII) from checkout forms, , Customer names, Email addresses, Iberia Club loyalty card identification numbers and .

Most Significant System Affected: The most significant system affected in an incident were WebsiteMobile App and E-commerce platforms (e.g., Cisco merchandise store, Shrwaa.com)Third-party scripts (Polyfill.io, chat widgets, analytics tools)User browsers (client-side execution environment) and Third-party supplier systems.

Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident was Recommended: Deploy Content Security Policy (CSP) in report-only modeRecommended: Implement Subresource Integrity (SRI) for third-party scriptsRecommended: Isolate and remove malicious scriptsRecommended: Disable compromised third-party integrations.

Most Sensitive Data Compromised: The most sensitive data compromised in a breach were seat number, flight number, first and last name, Personally Identifiable Information (PII) from checkout forms, Iberia Club loyalty card identification numbers, flight times, itinerary, Customer names, Street and email addresses, Security codes, Payment card information, Personal Information of Employees, Names, BA membership numbers, booking reference, Personal information, Payment card details (e.g., 380,000 records in British Airways breach), email address, Authentication tokens, Expiry dates, Credit card numbers, Session cookies, telephone numbers and Email addresses.

Number of Records Exposed in Most Significant Breach: The number of records exposed in the most significant breach was 880.5K.

Most Significant Lesson Learned: The most significant lesson learned from past incidents was Compliance frameworks (e.g., PCI DSS 4.0.1) now emphasize client-side risks but lack prescriptive guidance.

Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Category: Organizational, , Customers advised to be vigilant against phishing attempts due to exposed personal information, Category: Incident Response, , Category: Detection & Monitoring, , Category: Compliance, , Category: Preventive Measures and .

Most Recent Source: The most recent source of information about an incident are Cisco Magecart Incident Disclosure (September 2024), Washington State Office of the Attorney General, Iberia Airlines customer notification (late November 2025), PCI DSS 4.0.1 Client-Side Security Guidelines, British Airways Breach Post-Mortem (2018), Cloudflare Holiday Season Traffic Report 2024, Ticketmaster Customer Support Chat Breach Analysis (2019), Polyfill.io Supply Chain Attack Report (2024) and California Office of the Attorney General.

Current Status of Most Recent Investigation: The current status of the most recent investigation is Ongoing (industry-wide analysis of 2024 holiday season attacks).

Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was E-commerce platforms: Audit third-party scripts before holiday season., Payment processors: Monitor for fraud spikes linked to client-side skimming., Regulators: Clarify client-side protection expectations in PCI DSS/GDPR., Security vendors: Develop integrated server-side + client-side monitoring solutions., .

Most Recent Customer Advisory: The most recent customer advisory issued were an Advised customers to contact their bank or credit card provider and follow their recommended advice., Monitor payment card statements for unauthorized transactions.Use virtual cards or payment tokens for online holiday shopping.Report suspicious checkout behavior (e.g., unexpected redirects, additional form fields).Check browser extensions for malicious script injection risks. and Customers notified of potential phishing risks and advised to monitor for suspicious activity.

Most Recent Entry Point: The most recent entry point used by an initial access broker were an Gateway between the airline and a payment processor and Compromised third-party supplier.

Most Recent Reconnaissance Period: The most recent reconnaissance period for an incident was Varies (e.g., Polyfill.io attack began in February 2024, detected during holidays).

Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Over-reliance on server-side security controls (WAFs/IDS) for client-side threats.Lack of visibility into third-party script behavior and dependencies.Absence of runtime monitoring for JavaScript execution in browsers.Insufficient enforcement of CSP/SRI despite availability of standards.Development freezes preventing timely patching during peak seasons.Compliance frameworks lagging behind client-side attack evolution., Third-party supplier vulnerability.

Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Mandate CSP/SRI implementation for all web properties.Integrate client-side monitoring into SOC operations.Establish third-party script governance programs with risk tiering.Automate script inventory and change detection.Update incident response plans to include client-side breach scenarios.Advocate for clearer regulatory guidance on client-side protections..