Last week it was announced that the personal and financial details of 380,000 British Airways customers had been stolen by cyber criminals.
The latest news reports claim that the cause of the data breach has been identified by a RiskIQ researcher, who has analysed the code from BA’s website and app. They say that there is evidence of a “skimming” script designed to scrape data from online payment forms.
BA’s response is that “As this is a criminal investigation, we are unable to comment on speculation.”
Skimming script linked to criminal group Magecart
If this skimming is proven, it would be a similar attack to the one that hit the Ticketmaster website earlier this year, which has been linked to the criminal hacking group Magecart.
It is claimed that Magecart’s approach is to “inject script designed to steal sensitive data that consumers enter into online payment forms on e-commerce websites directly or through compromised third-party suppliers used by these sites”.
Likely long term implications for BA
Although BA reported the breach within the 72-hour timeframe required under the GDPR (General Data Protection Regulation), the organisation has still suffered through a fall in share value and customer discontent. After all, as well as customers’ personal details and credit card numbers being stolen, the crooks were also able to scrape the three and four-digit card security codes, which are the last line of defence against online fraud.
The CVV security codes are not supposed to be stored on merchants’ websites under the PCI DSS (Payment Card Industry Data Security Standard), so a breach of this data is rare. To date, BA’s public statements and emails to customers haven’t explained how it lost such critical data.
Under the GDPR, a fine of up to 4% of global annual revenue is possible, so BA could be hit with a £500 million penalty.
92% of UK organisations breached
According to Carbon Black, 92% of UK organisations have been breached in the past year, so no one can be complacent.
Cyber security and breach readiness must be prioritised within business operations to ensure that organisations and individuals reduce risk and are able to act effectively when a breach occurs.