British Airways security incident garners record GDPR fine
The ICO plans to levy a record GDPR fine of nearly $230 million against British Airways for a security incident that led to 500,000 customers having their data compromised.
British Airways will be hit with a record fine under the General Data Protection Regulation for a security incident that led to the compromise of about 500,000 customers' personal data.
The Information Commissioner's Office (ICO), the independent GDPR investigator for the U.K., announced its intention to levy a fine of nearly $230 million -- 183.39 million euros -- due to the British Airways security incident, which took place during the summer of 2018.
According to a September 2018 report by Yonathan Klijnsma, threat researcher for San Francisco-based RiskIQ, threat actors were able to implant a poisoned version of the Modernizr JavaScript library into both the British Airways website and mobile app. Customers were then forwarded to a fraudulent website, where they were tricked into providing their data.
While ICO described the British Airways security incident as a breach, threat actors did not obtain the customer data through access to the airline's network, according to RiskIQ's research.
British Airways said the attacks occurred between Aug. 21, 2018, and Sept. 5, 2018, but the ICO said the incident was "believed to have begun in June 2018." Investigators found customer data, including names, addresses, login credentials, payment card data and travel booking details, was compromised in the incident.
Information Commissioner Elizabeth Denham said in a statement that it is "more than an inconvenience" when an organization fails to protect customer data.
"That's why the law is clear -- when you are entrusted with personal data, you must look after it," Denham said. "Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."
The ICO credited British Airways with cooperating with the investigation and improving security, and the ICO reserved the right to change its final decision after considering "the representations made by the company and the other concerned data protection authorities."
The British Airways security incident
Although it has been made publicly known how threat actors were able to steal customer data in this incident, it is still unknown how they were able to access British Airways' systems in order to launch the attacks.
Matan Or-El, co-founder and CEO of third-party security management vendor Panorays, based in New York, said the lack of transparency regarding how attackers were able to access British Airways' systems "is doing a disservice to the discussion around the fine and whether it's justified or not."
"Oddly enough, nobody has published clear details about the incident, so it's not clear what exactly happened. It will be difficult to turn this into a learning experience for everyone if more details are not disclosed," Or-El said. "The amount of the fine is unprecedented. It will be very interesting to see how it's appealed and whether the fine will remain. The more transparent the ICO will be regarding their rationale and reasons for the high amount, the better it will be for discussion."
Or-El said the threat actors would have needed to be able to replace certain files on the British Airways website in order to implant the poisoned library as described by the RiskIQ analysis.
Matan Or-ElCo-founder and CEO, Panorays
Ilia Kolochenko, founder and CEO of application security firm ImmuniWeb, based in Geneva, said it depends on whether the JavaScript library in question was actually located on British Airways' resources or not.
"Nowadays, there are many convoluted avenues to inject malicious code into legitimate pages. For example, sometimes developers mistype the domain name where an external [JavaScript] library is hosted, and attackers simply register the domain and place a malware there instead of the library," Kolochenko said. "Other companies purchase their own domains to host third-party code and then forget to renew the domains, ceding this opportunity to malicious actors."
Ido Safruti, CTO and co-founder of web application security vendor PerimeterX, based in San Mateo, Calif., said the available details made it seem as though the code was "served and verified by the original site and on the official mobile application."
Alex Calic, strategic technology partnerships officer for The Media Trust, based in McLean, Va., suggested the British Airways security incident was likely the result of a cross-site scripting (XSS) attack, although this has not been confirmed.
"[The threat actors] identified a poorly secured component in their web application and used it to inject the malicious code," Calic said. "On the one hand, [British Airways is] expected to remain relatively tight-lipped about how they might have contributed. On the other, an admission would shed more light on XSS' popularity as a method of attack among bad actors and the surprising large number of web applications that remain vulnerable to it."
Protection against similar attacks
Experts roundly agreed there might not be much customers could do to protect themselves against attacks like this. Kolochenko said breaches like this could be "totally invisible from the outside."
Calic added that users would need to have "the technical expertise to scan payment pages for suspicious JavaScript," or else they'd be at the mercy of web application providers.
Experts also agreed enterprises should be continuously testing the security of web applications in order to identify any changes or vulnerabilities that may arise, scan for unauthorized code and inspect any third-party code being used.