The British Airways Incident
In 2019, British Airways was notified that they were facing a record £183 million fine from the UK Information Commissioner’s (ICO) based on their loss of 380,000 individuals’ credit and debit card details. The fine was reduced to £19.8 million in October 2020, not because BA wasn’t at fault, but because they were devastated by the COVID-19 pandemic. However, the fine won’t be their biggest cost: they’re now facing group legal actions from law firms representing affected customers, with total claims reach £800 million ($1.09 :billion) or more – an astoundingly expensive incident.
The responsibility for this loss of data lies squarely with BA. They have a complex, global environment with long-standing issues around access control and maintenance, and they were slow to patch critical utilities on their payment sites. But it’s worth noting that they were the victims of a sophisticated operation that takes advantage of payment sites’ dependencies on third-party code and services, and against which defenses have been limited – a type of attack referred to as “MageCart.”
What Magecart did to BA
The term Magecart is popularly used both for the groups of cybercriminals who target online shopping cart systems to steal users’ payment card information using a specific type of attack and for the attack they use. The technical term for what they’re doing is “web skimming” or “formjacking,” and it involves inserting malicious code onto a website to steal a copy of the information a user enters into an online payment form. It’s analogous to the use of physical card skimmers on gas pumps and ATMs. If done correctly, neither the user nor the site suspects it is happening. The Magecart groups have been very successful and continue to be active; BA was not the first company to fall victim to them.
Once the breach came to light, British Airways reported it to their customers and fixed it. They also reported it to the UK ICO, because their failure to protect personal data was a potential GDPR violation – and an expensive one as we’ve seen, in terms of brand damage, fines, and upcoming settlement payouts.
Lokker™ Privacy Control solution could have helped prevent catastrophe.
There are other ways to spot this kind of hostile activity, but Lokker™, since it’s an active monitoring solution, watches for suspicious changes continuously. This matters because a sophisticated attacker – and the group that hit British Airways was sophisticated – may only interfere with some transactions, or may be able to spot routine scans and avoid showing itself to them. Lokker™ filters all transactions, all the time and can catch those attackers even if they’re clever. Had it been available to them at the time, BA could have detected this attack early and been able to shut it down fast – maybe even before any personal data got out. This would have drastically reduced the fine, even if they still would have had to report the intrusion itself.