By Source Defense
Imagine facing a compliance fine of $238 million due to a data breach and being told that the breach itself was not the main reason for the fine. That’s precisely what happened to British Airways after a 2018 data breach exposed the personal data of nearly 500,000 customers.
An investigation into the breach by Britain’s Information Commissioner’s Office (ICO) concluded that the company had violated Europe’s General Data Protection Regulation (GDPR). Although the fine was eventually reduced to $26 million due to mitigating factors stemming from the COVID-19 pandemic, British regulators said the fine resulted largely from British Airways not having the necessary client-side security protections in place that could have prevented the breach.
The Attack
On June 22, 2018, cybercriminals compromised login credentials issued to one of British Airways’ third-party suppliers for a remote access gateway and gained access to the British Airways internal network. They remained undetected for nearly 6 weeks.
From there, the attacker gained access to a domain administrator account by using login details stored in plain text on the server. The attacker then edited a Javascript file on BA’s public website (BritishAirways.com) so that it redirected customer payment card data to a domain controlled by the cybercriminals (BAways.com). For the next 15 days, every time a traveler entered their payment card information into the British Airways website, a copy was sent to the attacker.
According to the ICO penalty notice issued on Oct. 16, 2020, the attackers accessed the personal data of approximately 429,612 individuals, in particular:
- Name, address, card number, and CVV number of BA customers -244,000 data subjects;
- Card number and CVV only -77,000 data subjects;
- Card number only -108,000 data subjects;
- Usernames and passwords of BA employee and administrator accounts; and
- Usernames and PINs of up to 612 BA Executive Club accounts.
The Failures
The ICO determined that BA failed to comply with its obligations under the GDPR. “BA failed to process personal data in a manner that ensured appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical and organizational measures,” the penalty notice states.
The British Airways attack involved many failures, not the least of which was a lack of visibility into their partner ecosystem. And if you are concerned with GDPR compliance, you must gain this visibility. Not only do you need to police and control the normal behaviors of your website partners, but you also need to ensure that they aren’t the vector through which a successful client-side attack occurs.
Cybercriminals are increasingly taking advantage of a Javascript vulnerability that gives all scripts, regardless of their origin, the same level of control, including access and authorship capability, the ability to change the webpage, access all information on it (including forms), and even record keystrokes and save them. This was another major factor in the British Airways attack.
According to the ICO, “BA could have put in place measures to detect malicious action such as that which occurred during the Attack, in particular file integrity monitoring. This type of monitoring allows the system to detect and alert an organization to changes being made to its code. While it does not stop an attacker from changing the code, it allows the organization to detect that changes have been made and to establish whether they are unauthorized.”
BA had established manual change management controls, meaning that if an employee wanted to make any changes to BA’s website, they had to go through a formal change management process to obtain approval for that change. However, BA did not have security technology capable of detecting unauthorized changes to its website code. In this instance, BA was only alerted by a third party that significant changes had been made to the website code.
British regulators also noted the failure of British Airways to abide by the PCI Data Security Standard (DSS), which is designed to protect consumers when they make online payments. The penalty notice specifically identified BA’s inability to verify the integrity of critical system files, configuration files, and content files or scripts. It should be noted that PCI DSS 4.0 – recently introduced – now has a distinct focus on client-side security.
The Solution
At Source Defense, we have been developing technology for nearly ten years to address the concerns raised by GDPR and PCI DSS. Through our expertise in client-side security, we can deliver solutions to secure merchants and help them achieve compliance at a low cost, with little-to-no operational burden, and without massive new internal efforts. Our solution offers a win for multiple stakeholders.
The business has the ability to continually enhance the website experience by adding new partners as they see fit. Security is able to protect the 3rd party code introduced by these partners – stopping data theft in its tracks. Governance, Risk and Compliance teams gain complete visibility into the normal actions of each partner, and the ability to enforce strict policies for data privacy – both in normal state, and in the event of one of these partners being compromised by a cybercriminal.
Our technology provides real-time insight into every piece of code running on every page of your site during every pageview, rendering point-in-time analysis obsolete. Beyond just insight, however, Source Defense can provide real-time management of code behavior as it executes to ensure not only the integrity of your code but the ability to prevent client-side attacks before they cause damage to your company or your visitors.
—
You need to start working with your partners on the business and security side of the house to reduce this material risk to your organization. You need to get the conversation started and we can help!
Request a Demo to learn more about how Source Defense can help you mitigate a material risk to your organization, keep your partners from overreaching and defend your enterprise from Client-Side Attacks.
Source Defense is a mission-critical element of web security. It is a data privacy compliance and security solution that protects sensitive user data collected on websites from data leakage or theft by extending security to the client-side. Source Defense is the market leader in Client-side Security for websites, providing real-time threat detection, protection, and prevention of vulnerabilities originating in JavaScript. Source Defense’s patented Website Client-side Security Platform offers the most comprehensive & complete solution addressing threats and risks from the increased usage of JavaScript, libraries, and open source in websites today.