British Airways 2018 Data Breach: The Snowball Effect

As we already shared with you in our previous blog post, British Airways (BA) was targeted by Magecart hackers in late 2018. This exploit led to over 400,000 leaked records and a fine of over £183.39M by the Information Commissioner Office (ICO). Although this number went down to £20M eventually, the aviation giant has recently settled a legal claim with more than 15,000 victims. Let’s reinspect this major cybersecurity incident and go over the main takeaways you must take seriously today.  

Before we dive into the specifics, a quick recap. The aforementioned Magecart group tampered with the BA website by exploiting and tapering with a third-party JavaScript (JS) add-on called Modernizr. This software component, which is supposed to enhance user experience for better customer satisfaction, was modified by the hackers to harvest all submitted data from online payment forms.

Poor Digital Security Causes Three-Dimensional Damage

We can’t possibly touch on all aspects of poor cybersecurity standards on eCommerce and eService websites, but can be categorized into three main groups.

• Security Breach Detection and Mitigation Tasks Take Time

Unfortunately, not all data breaches are detected in real time. This is often the case with Magecart and Web Skimming attacks, since they are initiated via external digital applications and third-party code that is not being checked by traditional Application Security toolkits (WAFs, CSPs, etc.). The detection of such breaches can take weeks or even months, something that already puts online businesses on the back foot.

The numbers don’t lie. As per a recent IBM research report, the average time it took organizations to identify breaches in 2020 stood at no less than 228 days. If we dive into the report, healthcare companies were the slowest to respond, with an average time of 329 days. Financial firms and banks were also above average, with 233 days taken to detect malicious activity on their websites.

Once the problem is detected, CISOs and security teams leave their ongoing duties and spend days trying to find the root of the problem, let alone the mitigation process that can also get complicated. Enterprise-level businesses often hire external Pen Testers and researchers to accelerate remediation efforts, something that brings added costs and requires increased IT team intervention.

• Regulatory Watchdogs Bite Hard

The General Data Protection Regulation took effect in mid-2018 and there has been no looking back. EU authorities and the Information Commissioner Office (ICO) were lenient initially, but online businesses have to pay dearly now for not implementing a layered security approach and not having a digital application monitoring solution for ongoing protection against security and compliance risks. More on this later.

For example, the ICO also took stern action against Ticketmaster UK for it’s 2018 data breach. The business was fined £1.25 million for its security failures.

But it’s not just about GDPR. You are looking at California Consumer Protection Act (CCPA), Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley Act of 2020 (SOX), and 23 NYCRR 500 in the United States. Japan has the Act on the Protection of Personal Information (APPI) and Canada has also implemented it’s own Digital Charter Implementation Act (DCIA). Data security is no longer an option.

Related: Top 10 Data Privacy Laws to Watch in 2021

It’s important to note that there is the brand damage that these hacks bring with them. Customers are sharing more and more personal information and private data with online businesses. Once this is stolen, the trust between the company and the client is basically breached, with clear legal implications. This leads to accelerated churn, something that is only worsened by bad press and bad word of mouth. 

Besides the fines issued by regulatory bodies, more and more data breach victims are exercising their rights and suing the businesses directly. The British Airways civil lawsuit is not an isolated one. Anthem agreed to a settlement of $115 million to compensate for the exposed records of over 78 million customers. Yahoo also settled a civil case in 2020. This trend is showing no signs of stopping.

The Benefits of Ongoing Digital Asset Monitoring

There is no denying that digital applications have a wide range of benefits. They are allowing online businesses to bolster their marketing, analytics, business, and development activities, while allowing developers to focus on what really matters – innovation. However, these external applications and tags are a double-edged sword, as they introduce a plethora of security and compliance risks to websites.

The main reason behind this enlarged attack surface is the creation of security blind spots that cannot be exposed by Content Security Policies (CSPs) or Web Application Firewalls (WAFs) as they are not in the same ecosystem. Also, this external code is often updated on a daily basis, creating new dependencies and enabling hackers to exploit new loopholes without being detected.

A comprehensive digital application monitoring solution will help you eliminate the blind spots and other related issues like domain security problems. Other benefits:

• Enabling secure third-party digital application usage
• Getting a dynamic digital asset inventory for smooth ongoing management
• Better cross-department collaboration and reduced friction with CISOs
• Smooth scaling up without expanding the website attack surface
• Upgrading the existing Application Security toolkit with enhance visibility 

The only way to fight Magecart, Web Skimming, and Supply Chain attacks today is to gain full control over your digital assets, including third-party apps and tags. Once you are able to monitor everything on an ongoing basis, you can significantly reduce the attack surface and minimize loopholes created by the external code. A proactive approach is the only way to make digital businesses safe again.