British-Airways Magecart Third-party Breach Leads to a $230 Million GDPR Fine

British-Airways Magecart Third-party Breach Leads to a $230 Million GDPR Fine
July 9, 2019

According to the Information Commissioner Office in the UK (ICO) a notice has been issued to British-Airways of its intention to fine airliner $230 million (£183.39M) for “infringements of the General Data Protection Regulation (GDPR)”.

The reason for the planned penalty is last year’s BA data breach of around 500 thousands customer details. According to the ICO, the September 2018 incident “involved user traffic to the British Airways website being diverted to a fraudulent site. Through this false site, customer details were harvested by the attackers. Personal data of approximately 500,000 customers were compromised in this incident, which is believed to have begun in June 2018″,

The incident itself was first disclosed by British-Airways by the beginning of September 2018.  According to InfoSecurity, security researchers claimed to have found stolen card details from British-Airways for sale on the darknet just a week after the incident. According the ICO “poor security arrangements” at British-Airways have led to the breach of sensitive data, including credit card information, booking details, names and addresses and user login details of approximately half a million customers.

The Magecart Hacking Group

The British-Airways data breach was executed by Magecart hackers, which is considered as the largest skimming group today. Magecart group activities usually involves a hidden injection of a third-party JavaScript code. The false code is aimed to steal payment data that is submitted on checkout pages, and is collected during the process and through payment forms.

In the British-Airways incident the Magecart hackers change a third-party JavaScript called Modernizr – a JS library that is used for enhanced interaction. The Magecart hackers modified it to capture the submitted data from the payment forms, and send it to their designated server which was located in Romania.

The Highest Penalty Under Europe’s New Data Privacy Law

In 2018 the ICO fined Facebook $626,000 (£500,000) over the Cambridge Analytica data scandal. At that time, before the new GDPR regulations came into force, it was the highest penalty amount allowed. In June 2019 Italy’s data protection watchdog has issued Facebook a €1,000,000 fine for violating its local privacy law.

According to the BBC, the £183.39 million ($230M) fine is the biggest penalty the ICO had handed out and the first to be made public under new rules.

 

Click here to learn more about web third-party vulnerabilities and how to avoid the next Magecart attack.