British Airways reports two substantial data breaches this year, initially reporting in September the compromise of 244,000 credit card transactions in August and September, and further disclosing in October another 185,000 transactions from April through July.
The first line of defense against an attack like this is to detect intrusions to infrastructure. However, in this case, British Airways was reportedly unaware of an intrusion. The next line of defense is to verify that production JavaScript source code is not modified unexpectedly. One solution is to implement an external monitoring system that detects any changes to public-facing source code, verifying that any reported changes match intentional changes. This verification can be automated by verifying checksums.
The recently finalized W3C standard for Subresource Integrity, supported by Edge, Chrome, Firefox, and Safari, may also help prevent such attacks, in particular for third-party scripts. However, in the case of the British Airways hack, the attacker likely would have also changed the integrity hash within the script tag that loaded the compromised JavaScript source code.