This week the Information Commissioner’s Office handed British Airways the biggest data protection fine in history, but hackers are still targeting hundreds of websites around the world, using the same techniques.
The news last September that British Airways had suffered a major data breach piqued the interest of security analysts around the world. The breach affected around half a million people and compromised approximately 429,000 payment cards. But analysts were intrigued by another detail in BA’s statement; the stolen information, the airline claimed at the time, was linked to transactions made over the course of just 16 days.
In many of the biggest data breaches of recent years, hackers have stolen customer databases stretching back several years. During Yahoo’s record-breaking breach of 2013, for example, criminals secured access to each of the three billion user accounts created since the company was founded in 1995. By comparison with most breaches, then, the BA attack was unusual, but it wasn’t unique.
During the weeks leading up to BA’s disclosure, analysts at a US security firm called RiskIQ had been monitoring a kind of attack, known as “form-jacking”, which appeared to be gaining popularity among cyber criminal gangs. The underlying vulnerabilities which make such attacks possible have been known about since 2000, but RiskIQ’s analysts had begun investigating the attack more closely because it was linked to the other major breach of the summer: the Ticketmaster attack.
Both incidents, analysts now say, should be attributed to Magecart: a group of more than a dozen cyber crime gangs which specialise in form-jacking and have targeted thousands of websites around the world. To carry out their attacks, Magecart hackers will attempt to breach a website vendor which supplies a third-party service, such as a chat-bot function. Compromising a single vendor could enable the hackers to insert malicious code on to hundreds of sites, giving them visibility of hundreds of thousands of transactions.
The UK’s information commissioner, Elizabeth Denham, revealed on Monday that she intends to fine BA £183m for “[failing] to protect [data] from loss, damage or theft”. The company is expected to appeal, having claimed it has found no evidence that customers fell victim to fraud as a result of the breach. Ticketmaster will watch with particular interest as the appeal plays out. The company had said that blame for its attack rests with a third party vendor. The ICO’s ruling, however, suggests websites are responsible for their customers’ data regardless of how it is breached.
Whatever the outcome of the appeal, the size of the fine will unnerve the thousands of other businesses around the world which have been compromised by Magecart gangs. In an analysis shared with NS Tech, researchers at Symantec, a US security company, revealed that from June to September, the number of domains infected with form-jacking hadn’t dropped below 5,000. But in October, the month following BA’s disclosure, the number of infected domains fell below 4,000 for the first time since the start of the year, indicating that web developers and their suppliers had taken measures to protect their systems in light of the attacks.
However, in the last two months, the number of infected domains has started to climb once again. In May, it rose above 2,000 for the first time since October and in June hit 4,500. Meanwhile, the number of attempted form-jacking attacks detected by Symantec rose from around 200,000 in August and September 2018 to more than 800,000 in May and June this year, suggesting that the attacks are becoming more focused and increasingly effective.
Candid Wueest, a senior threat researcher at Symantec, explained that the emergence of a number of attacks from April onwards could be linked to compromises at a cloud provider used by third party web vendors to host their services. Since April, the same code used to target Ticketmaster has also been linked to the breach of a health insurance provider. “We believe it’s the same attack group,” said Wueest. “The group have been very active, going after hundreds of domains each week.” Symantec refused to name the health insurer, but said it had been informed of the breach.
While BA’s fine is the largest ever issued by a data protection regulator, it represents just 1.5 per cent of BA’s 2018 turnover and around eight per cent of its parent company’s post-tax earnings. Nevertheless, it is higher than some observers had expected and many, many multiples larger than the cost of fixing the error in the first place.
BA may feel aggrieved that the ICO broke with convention by publishing the size of the fine before receiving its representations. But for the hundreds of businesses around the world dealing with similar attacks, it’s a wake-up call, and for their customers, one that couldn’t have come soon enough.