British Airways Data Breach. Could it have been avoided?

On September 11, 2018, the BBC News Site reported on the data breach at British Airways on the findings of the company RiskIQ in analysing the coding from BA's website. Please see below the report from the BBC website (after my comments)

My Comments:

If BA's attack was caused due to a third-party provider, then what can you do to assure the the same couldn't happen to you and do you know if your third-party suppliers and/or third-party sub-contractors are fully GDPR compliant?

This type of attack on a company like BA or any other that deals with online payments should be very aware and step up their security to avoid a similar breach.

As for BA, and especially knowing the grave consequences they could face from a massive fine under the GDPR as well as potential loss of earnings, financial claims of compensation from victims effected by the attack, damage to BA's reputation, the prospect of being prohibited to handle any customer's data, etc. For this attack to occur and knowing full-well that we everyone is now under the GDPR (General Data Protection Regulation) is quite surprising that a data breach of this type could occur within a large organisation such as BA or Ticketmaster (as mentioned in the BBC report).

Research has stated that BA could be facing not only a multiple action law case by all the people affected by the breach, but could face massive fines under the GDPR for the data breach by the ICO. Remember, before the GDPR came into effect, the maximum fine that could be issued by the ICO to any organisation was ￡500,000, now, under the GDPR, the potential fines for a data breach where personal and full bank details had been breached could run run into ￡millions, depending on how the ICO see the data breach, all the relevant details of how it happened as well as how it was dealt with, etc. With the potential fines and any compensation won by BA's clients, dame to the company etc. could amount to as much as much as ￡500 million, which is an astronomical amount for one organisation. To some companies, this would be more than enough to wipe them of the business map. In addition, any supplier or third-party companies that continue to work alongside BA could simply refuse to deal with them as they could see BA as a huge risk to work with and a company that could harm their own reputation.

CH British Airways is a major airline company and this type of attack, which according to RiskIQ who did the research as outlined below, stated that the coding they found was just 22 lines long and was adapted to the type of payment site that BA has in place including it's app.

Generally, websites are managed by a third-party, unless the organisation has their own internal team on site to deal and update the website and verify the security of that site. To avoid something like this breach from happening to others, regular reviews (say every three months for example) of the website and payment section should be carried out, as well as making sure that the security behind is without any flaws whatsoever, and is secure for people to use without their details being recorded as they type. Also, to fully assure that there are no potential back doors to allow attackers to enter through. This can be achieved by of course by regular pen testing and constant monitoring of both internal IT Systems and of course websites. There are many providers of monitoring that can help. This should be carried out at least every 3-6 months. Although, constant monitoring as mentioned is a MUST DO especially where payments systems are in place on the website or App.

Checks should be carried out periodically, including verification of existing SSL (Secure Socket Layer) Certificates and if they are the same certificates that were previously placed and haven't been change by say an unauthorised third-party or even attackers. It was mentioned in the BBC Report that the attackers even used a new SSL Certificate on BA's site in this attack!! A data breach such as the one that affected British Airways will be on the increase now and information such as your personal information and bank details (including the CSV numbers) will be the main targets. Hackers around the world will see this particular attack as an opportunity to test other organisations that deal with online payment to see if the same or a similar method of attacking is possible. No one has confirmed as of yet that a third party vendor was responsible for attackers causing the data breach with BA, but it's looking as a possible cause. If you are a company or organisation and deal with many suppliers, third-parties, etc. then there is much to do if you still haven't completed the GDPR as of yet. here are some suggestions for you:

• Under the GDPR, you need to verify just how serious (or not) your third-party suppliers are and how they take their own security and compliance and if they are even fully GDPR compliant. If they are not compliant, this could be a potential risk to your organisation from many fronts.
• If you have done so already, define with your third-party providers clear and precise areas and activities in which GDPR is in scope, and have them agree and provide you with signed contractual assurances they 1) they are and fully completed, or in the case, still working towards full compliance and will achieve all the GDPR compliance processes with timelines confirmed.
• One of the problems with many third-party providers is that at times, some of the services they will provide your company will be outsourced and at times, without written approval. Therefore, you'll need to make it very clear that under the scope of the GDPR, they will not be permitted to outsource any services without prior written approval and agreement as to what will be outsourced. be very careful with this aspect. This should be outlined in any contracts that have been updated to reflect the GDPR.
• There has been a massive increase in the recorded number of data breaches around the world sine the GDPR came into effect in May of this year. How do you know if this hasn't been the case with your third-party provider? If you are completely unaware of any data breaches that have occurred with your current third-party provider, then you'll be unclear on how serious or not they take their security and the protection of the data held. Have there been any data breaches with your third-party provider? If so, has the data breach been recorded as well as with their own compliance records? to have better protection on who you decide to take on or continue working with, I would suggest doing a full due diligence and a regular audit of your your third-party provider(s) processes and if they are still working with the GDPR compliance in mind.
• Has your third-party provider provided you with confirmation that thorough background checks for their staff and contractors – including credit, employment and criminal records have been carried out? This is important because there might just be someone inside that third-party provider who could be an insider and may just decide to pass on confidential details of your business onto an attacker for payment.
• Another important factor here is if your third-party provider has employees who are are located in other parts of the world, would you be happy working with these parties who have staff and/or contractors in countries where hostile state actors are employed and/or are known for supporting, tolerating or ignoring cyber criminal activity?
• Under the GDPR, it only permits personal data transfers to countries that the European Commission deems have an “adequate” level of personal data protection. Therefore, you cannot simply transfer your data either yourselves or via a third-party to all countries and there are restrictions in place governing which countries are unsafe to do, so in the case, you'll need to verify that there is no risk of this happening under your third-party provider otherwise, it could eventually cause you massive problems if any data breach occurs and the data is traced back to your company even if it occured via a thrid-party provider.

Questions you should consider asking your Third-Party provider, vendor

1. Please could you identify your appointed Data Protection Officer or Main data protection contact as well as their specific responsibilities within the organisation.
2. Can you explain and describe your schedule for reviewing and updating your policies for processing data on behalf of your data controllers.
3. Where does your organisation store the digital personal information you are managing on our behalf? If this is stored within a third-party sub-processor, please identify them and provide details of where that data is stored.
4. What processes and methods are you using if any, to properly anonymise and encrypt personal data?
5. What processes and methods are in place for the protection and detection of data and communicating data breaches?
6. What is in place and tools used to manage the identification, tracking, and destruction of personal data associated with an individual?
7. Are there clear instructions in your contracts detailing what happens to the data at the end of the contract period?
8. What data privacy and security training have employees in your organisation received and in particular, those responsible for dealing directly with our company if applicable?

Thanks to the BBC for this article below

British Airways: Suspect code that hacked fliers 'found'

A cyber-security firm has said it found malicious code injected into the British Airways website, which could be the cause of a recent data breach that affected 380,000 transactions.

A RiskIQ researcher analysed code from BA's website and app around the time when the breach began, in late August.

He claimed to have discovered evidence of a "skimming" script designed to steal financial data from online payment forms.

BA said it was unable to comment.

A very similar attack, by a group dubbed Magecart, affected the Ticketmaster website recently, which RiskIQ said it also analysed in depth.

The company said the code found on the BA site was very similar, but appeared to have been modified to suit the way the airline's site had been designed.

• Video: British Airways boss promises compensation
• British Airways hit by 'malicious' data breach

"This particular skimmer is very much attuned to how British Airway's payment page is set up, which tells us that the attackers carefully considered how to target this site instead of blindly injecting the regular Magecart skimmer," the researcher wrote in a report on the findings.

"The infrastructure used in this attack was set up with British Airways in mind and purposely targeted scripts that would blend in with normal payment processing to avoid detection."

Hacks like this make use of an increasingly common phenomenon, in which large websites embed multiple pieces of code from other sources or third-party suppliers.

Such code may be needed to do specific jobs, such as authorise a payment or present ads to the user. But malicious code can be slipped in instead - this is known as a supply chain attack.

In BA's case, hackers stole names, email addresses and credit card details - including the long number, expiry date and the three-digit CVV security code.

"As this is a criminal investigation, we are unable to comment on speculation," said BA in a statement.

A spokesman for the UK's National Crime Agency said it was aware of the RiskIQ report but would not be commenting at this time.

Data grab

RiskIQ said the malicious script consisted of just 22 lines of code. It worked by grabbing data from BA's online payment form and then sending it to the hackers' server once a customer hit the "submit" button.

The cyber-security firm added that the attackers had apparently been able to gather data from mobile app users as well because the same script was found loaded into the app on a page describing government taxes and carrier charges.

"The page [in the app] is built with the same... components as the real website, meaning design and functionality-wise, it's a total match," the RiskIQ report noted.

Media caption

British Airways' chairman and CEO says affected customers will be 100% compensated

RiskIQ recommended that BA customers affected by the breach get a new debit or credit card from their bank.

The firm pointed out that whoever was behind the attack had apparently decided to target specific brands and that more breaches of a similar nature were likely.

"There is a very clear emerging risk where the weakest link in payment processes is being actively targeted," cyber-security expert Kevin Beaumont told the BBC.

"And that weakest link in the chain is often by placing older systems or third-party code into the payment chain."

Andrew Dwyer, a cyber-security researcher at the University of Oxford added that the attackers appeared to have gone to "extraordinary lengths" to tailor their code to the BA site.

According to RiskIQ, they also acquired a Secure Socket Layer (SSL) certificate - which suggests to web browsers, not always accurately, that a web page is safe to use.

If this was indeed how the attack worked, he added, there are ways of preventing third-party code taking data from sensitive web pages.

"BA should have been able to see this," he told the BBC.