British Airways reported a breach last week that affected about 380,000 customers’ data. Threat management firm RiskIQ revealed today that the same criminal group behind a Ticketmaster UK breach also attacked British Airways.

In a previous report, RiskIQ found that Ticketmaster’s breach was the work of the criminal group Magecart. It injected scripts onto a compromised customer service product on Ticketmaster’s site in order to steal personal data. According to RiskIQ, Magecart tends to use scripts to steal customer data that are entered on online payment forms, usually through compromised third-party services these sites use.

“A stark reminder about the vulnerability of web-facing assets.”

RiskIQ analyzed the source code from British Airways’ webpages and its mobile app and found Magecart injected a few lines of JavaScript on the card checkout pages of both; although, in this case, Magecart didn’t first target a third-party vendor. The breach occurred from August 21st to September 5th and affected payments on mobile and web. Magecart set up custom, targeted scripts that wouldn’t be noticed on the British Airways website, indicating that the group had access before the attack began. RiskIQ calls it “a stark reminder about the vulnerability of web-facing assets.”

Users affected by the British Airways breach should get a new credit or debit card from their bank and cancel the old one.