British Airways revealed a data breach impacting customer information from roughly 380,000 booking transactions. The company said that names, addresses, email addresses, and sensitive payment card details were all compromised.

The threat detection firm that was analyzing the breach, published details of the hacker’s strategy, also linking the intrusion to a criminal hacking gang that has been active since 2015. The group, is known for web-based credit card skimming, i.e. finding websites that do not secure payment data entry forms and draws in everything that gets submitted. But while the hackers have previously been known to use the same broadly targeted code to scoop up data from various third-party processors, the firm found that the attack on British Airways was much more tailored to the company’s specific infrastructure.

In its initial disclosure, British Airways said that the breach did not impact passport numbers or other travel data. But the company later explained that the compromised data included payment card expiration dates and Card Verification Value codes, even though the airlines has said it does not store CVVs. British Airways further noted that the breach only impacted customers who completed transactions during a specific timeframe.

These details served as clues, leading analysts to suspect that the attack does not necessarily involve penetrating an organization’s network or servers, which would explain how hackers only accessed information submitted during a specific timeframe, and compromised data that British Airways itself does not store.

The airline also said in its disclosure that the attack impacted its mobile users. Analysts found a part of the British Airways Android app built from the same code as the compromised portion of the airline’s website. It is normal for an app’s functionality to be based in part on existing web infrastructure, but the practice can also create shared risk. In the case of the British Airways Android app, the malicious JavaScript component the attackers injected on the main site hit the mobile app as well. Attackers seem to have designed the script by accommodating touchscreen inputs.

While the attack was not elaborate, it was effective, because it was tailored to the specific scripting and data flow weaknesses of the British Airways site.