The UK cares about its citizens' privacy to the tune of a $229 million (US) fine of British Airways for a breach that disclosed information of approximately half a million customers. It's exciting — a significant fine for a significant loss of data. I think GDPR will lead to improved security of information systems as companies scramble to avoid onerous fines and start to demand more from those who provide information security services and products.
I wish, though, that as part of their penance, GDPR required companies to provide more details more quickly about how the breach occurred and how a company like British Airways fell short in stopping it. The conversation needs to move quickly and fluidly about what is the standard of duty of care that must be met by organizations.
From a tripwire article:
"Precisely how the hackers managed to gain access to British Airways' infrastructure to plant the malicious code in the first place hasn't been made public. However, what's clear is that for a period of time they failed to notice that a JavaScript library used in their website's payment flow had been tampered with."
What has been learned about the breach seems to be coming from third-party analysis such as the blog posting from RISIQ. It turns out that British Airways is one of a number of companies such as Ticketmaster and Newegg to have problems with digital card skimming attacks. Sanguine Security Labs reported that 962 online shops were recently, similarly attacked in a 24-hour period.
Digital card skimming attacks date back to 2016 and show no sign of abating. The attackers keep innovating and succeeding because it is hard to keep up with the newest variations of the Magecart mode of attacks. It's also confusing to know what defensive steps are reasonable and most cost-effective.
Elizabeth Denham, the UK commissioner in charge of the agency that levied the fine, was quoted as saying:
"That's why the law is clear — when you are entrusted with personal data, you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."
Organizations must report breaches. There is real urgency to address digital skimming attacks, which continue to compromise user data. Shouldn't the EU and the bureaucracy administering the GDPR be anxious to share what they know about how these attacks are evolving and what they believe are the appropriate steps to prevent them? For example, is British Airways being fined because they failed to patch a known vulnerability such as the PHP Object Injection vulnerability CVE-2016-4010? Were they fined because they didn't have a file integrity monitor in place on their servers verifying that scripts had not been tampered with? Organizations that fall under GDPR jurisdiction need to know what misstep British Airways took from the viewpoint of the UK office.
When a breach occurs, more information needs to be disclosed more quickly about what happened and what went wrong. Appropriate steps will sound better when GDPR speaks up about what those are. British Airways will be given the opportunity to defend whether they acted reasonably. The reasoning behind whatever decision is made needs to be made public. Providing an account of what went wrong is as important as holding companies accountable.
Written by Curt Dukes, Executive Vice President