The news last September that British Airways had suffered a data breach piqued the interest of security analysts around the world. The breach affected around half a million people and compromised approximately 429,000 payment cards. But analysts were intrigued by another detail in BA’s statement; the stolen information, the airline claimed at the time, was linked to transactions made over the course of just 16 days between the end of August and the start of September 2018.
In many of the biggest breaches in recent years, hackers have stolen entire customer databases, stretching back to companies’ digital inception. During Yahoo’s record-breaking breach of 2013, all of the three billion user accounts created on its platform were compromised. Once attackers have found their way around a company’s defences, they often enjoy unfettered access for several months. By the time the company finds out, it’s almost always too late.
In the weeks leading up to BA’s disclosure, analysts at a US security firm called RiskIQ had been monitoring a kind of attack, known as “form-jacking”, which appeared to be gaining popularity among cybercriminal gangs. The underlying vulnerabilities that make such attacks possible have been known about since 2000, but RiskIQ’s analysts had begun investigating the attack more closely because it had been behind the other major breach of the summer: the Ticketmaster attack.
Both incidents, analysts now say, should be attributed to Magecart: a group of more than a dozen cybercrime gangs that specialise in form-jacking and have targeted thousands of websites around the world. To carry out their attacks, hackers will often attempt to breach a single vendor that supplies third-party services, such as a chat-bot function, to websites that harvest customer data. Compromising a single vendor could enable the hackers to insert malicious code on to hundreds of sites, allowing them to view hundreds of thousands of transactions.
The UK’s information commissioner Elizabeth Denham revealed on Monday that she intends to fine BA £183m for “[failing] to protect [data] from loss, damage or theft”. The company is expected to appeal, having claimed it has found no evidence that customers fell victim to fraud as a result of the breach. Ticketmaster will watch with particular interest as the appeal plays out. The company had said that blame for their attack rest with the third party vendor, but the ICO’s ruling suggests websites are responsible for their customers’ data regardless of how it is breached.
Whatever the outcome of the appeal, the size of the fine will unnerve the thousands of other businesses around the world which have been compromised by Magecart gangs. In an analysis shared with NS Tech, researchers at Symantec, a US security company, revealed that from June to September, the number of domains infected with form-jacking hadn’t drop below 5,000. But in October, the month following BA’s disclosure, the number of infected domains fell below 4,000 for the first time since the start of the year, indicating that web developers and their suppliers had taken measures to protect their systems in light of the attacks.
However, in the last two months, the number of infected domains has started to climb once again. In May, it rose above 2,000 for the first time since October and in June hit 4,500. Meanwhile, the number of attempted form-jacking attacks detected by Symantec rose from around 200,000 in August and September 2018 to more than 800,000 in May and June this year, indicating that the attacks are becoming more focused and increasingly effective.
Candid Wueest, a senior threat researcher at Symantec, explained that the emergence of a number of attacks from April onwards could be linked to compromises at a cloud provider used by third party web vendors to host their services. Since April, the same code used to target Ticketmaster has also been linked to the breach of a health insurance provider. “We believe it’s the same attack group,” said Wueest. “The group have been very active, going after hundreds of domains each week.” Symantec refused to name the health insurer, but said it had been informed of the breach.
While BA’s fine is the largest ever issued by a data protection regulator, it represents just 1.5 per cent of BA’s 2018 turnover and around 8 per cent of its parent company’s post-tax earnings. Nevertheless, it is higher than some observers had expected and many, many multiples larger than the cost of fixing the error in the first place.
BA may feel aggrieved that the ICO broke with convention by publishing the size of the fine before receiving its representations. But for the hundreds of businesses around the world dealing with similar attacks, it’s a wake-up call, and for their customers, one that couldn’t have come soon enough.