The Information Commissioner’s Office or ICO in the UK has fined British Airways $229 million!
The ICO said the incident took place after users of British Airways' website were diverted to a fraudulent site. Through this false site, details of about 500,000 customers were harvested by the attackers, the ICO said.
Information Commissioner Elizabeth Denham said: "People's personal data is just that - personal. When an organization fails to protect it from loss, damage or theft, it is more than an inconvenience.
"That's why the law is clear - when you are entrusted with personal data, you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."
The incident was first disclosed on 6 September 2018 and BA had initially said approximately 380,000 transactions were affected, but the stolen data did not include travel or passport details.
According to RiskIQ:
Magecart set up custom, targeted infrastructure to blend in with the British Airways website specifically and avoid detection for as long as possible. While we can never know how much reach the attackers had on the British Airways servers, the fact that they were able to modify a resource for the site tells us the access was substantial.
At the time of the hack, BA's payment page loaded content from seven external domains. Marcus Greenwood, chief exec of cloud-based automation firm UBIO, argued these various analytic, customer service and testing tools ought to be kept well away from payment pages.
"Crucially there is also no 'iframe' isolation of the payment card fields," he said in a blog post exploring whether the airline could still be vulnerable to attack. "This is bad because it is trivial for any JavaScript file loaded to steal the card details and post to another third-party domain" he said, noting the site hosted third party scripts, including from external domains that the company itself owns, on the payment page.
We have put together a list of cybersecurity essentials for every organization but it does not include the case of companies accepting credit cards online.
Quite often, developers are hired by companies who aren’t proficient in cybersecurity.
If this is the case in your organization, a second opinion is a must.
When dealing with personal identifiable information (PII) or personal health information (PHI), every organization must understand they are a target.
If they handle this information via the web, they are at great risk because this is the information hackers want. It allows them to make a great deal of money with minimal work.
As a result, organizations must be aware the consequences of not safeguarding their network infrastructure and software, could be fines or a loss of customers which puts them out of business.
There is no best-case scenario when dealing with hacks. It is all bad, all the time. The downside could be years of financial and reputational pain making the job of the organization infinitely more difficult.
While we offer no one-size-fits all solution to your organization’s hacking exposure, every executive needs to be aware of the risks and mitigate them as best they can.