Connect with us

Cyber

Regulators must make an example of British Airways following its massive data breach

Published

on

regulators must make an example of British Airways

Analysis carried out by risk consulting firm Kroll revealed earlier this month that reports of data beaches submitted by British organisations to the UK Information Commissioner’s Office (ICO) rose by 75% over the course of the past two years, suggesting businesses across the country were gearing up for a new era of transparency ushered in by Europe’s General Data Protection Regulation (GDPR), which came into force at the end of May. Under the terms of GDPR, organisations must report personal data breaches to the relevant local authority within 72 hours of becoming aware of any such incident, or face a large fine of up to €10 million ($11.7 million) or 2% of global turnover, whichever is greater.

This is intended to prevent companies from covering up major breaches in order to protect their corporate image or brand. Just how seriously businesses are taking the new rules was made clear earlier this month by the speed with which British Airways (BA) went public with news that hackers had managed to steal the credit card details and personal information of nearly 400,000 of its customers. But while the airline may have avoided being hit with a fine for failing to go public quickly enough, it could still face a significant financial penalty if the breach is found to be a result of its failure to secure its customers’ information properly.

The company was quick to claim it had been hit with an extremely “sophisticated malicious criminal attack”, and issued the usual platitudes about taking customers’ data security seriously that companies typically fall back on in these types of scenarios, despite all evidence pointing to the contrary. What made the BA breach particularly damaging for the firm was the fact that hackers managed to obtain full sets of customers’ credit card details, including CVV numbers. This would have meant that cyber criminals with access to the data would have been able to use it immediately to make purchases from pretty much anywhere on the internet, a fact that prompted a number of banks to take the unusual step of pre-emptively cancelling cards belonging to customers whose information may have been compromised.

As companies are not allowed to store CVV data on their systems, it is thought the hackers behind the attack harvested data from the firm’s checkout page in real time while customers were entering their card details. BA has said it is investigating the breach “as a matter of urgency”, and the UK’s National Crime Agency and National Cyber Security Centre are also assessing the attack. But regardless of their findings, it is vital the company faces a severe financial penalty for allowing its customers’ data to be compromised.

Firms the size of BA have the resources to ensure they stay one step ahead of cyber scammers, be they sophisticated or not. If they choose not to do so, they should face serious consequences. Online security experts from RiskIQ have said Russian hackers were responsible for the breach, pointing specifically at the Magecart group, which is said to have been behind a similar attack on the Ticketmaster website in June. RiskIQ researcher Yonathan Klijnsma, who analysed code from BA’s website and app, claimed to have discovered evidence of a “skimming” script designed to steal financial data from online payment forms.

“This particular skimmer is very much attuned to how British Airway’s payment page is set up, which tells us that the attackers carefully considered how to target this site instead of blindly injecting the regular Magecart skimmer,” Klijnsma wrote, seemingly suggesting the hackers may have taken advantage of weaknesses in BA’s IT infrastructure. Either way, it is alarming that the breach was allowed to continue for two weeks before it was detected and reported.

It is likely that BA will claim it was targeted by a hacking organisation so sophisticated and cunning that it would have been next to impossible for it prevent the attack, and that it should face no regulatory punishment as a consequence. However, if GDPR and similar legislation in other parts of the world are to stand any chance of forcing organisations to take better care of consumers’ data, it is surely in cases such as these where punishment should be applied. Major corporations will only start truly taking the security of their customers’ information seriously if they are forced to do so.

Allowing BA to wriggle off the hook after the latest in a long and sorry line of major data breaches at other companies simply sends the wrong message, and suggests GDPR will have no real impact. While most BA customers who had their details stolen might have been lucky enough to avoid having money taken from their credit cards after the breach, their personal details will now be doing the rounds on the dark web, leaving them exposed to identity thieves. Many could be dealing with the consequences for years to come, which is one of the main reasons BA should be made an example of. The ICO can and should make full use of its GDPR powers and hit BA where it hurts.

Continue Reading

Articles

UK police arrest three during investigation into dark web credit card fraud scam

Published

on

dark web credit card fraud scam

A joint operation conducted by law enforcement agencies in the UK has resulted in the arrest of three men suspected of being behind a £1 million ($1.27 million) dark web fraud conspiracy.

Officers from the South East Regional Organised Crime Unit (SEROCU), Greater Manchester Police, the North West Regional Organised Crime Unit (Titan) and the National Crime Agency (NCA) detained the men in Rochdale on Wednesday.

The suspects were held after more than 30 investigators carried out coordinated raids at four addresses across the town in an operation intended to crack down on cyber crime-enabled fraud offences.

The three men – aged 25, 35 and 36 – are said to have used stolen credit card information they bought on dark web marketplaces to make purchases of high-value goods from small and medium-sized businesses over the phone between 2014 and 2018.

When placing orders, police say the suspects arranged to have the goods delivered to multiple locations across Rochdale by unsuspecting couriers.

In a statement, Detective Inspector Rob Bryant from SEROCU’s Cyber Crime Unit, said: “They would use the details they had obtained illegally to purchase large orders of goods, such as car tyres, copper piping, paint and ride-on mowers and have them delivered to discreet locations by innocent couriers, where they would go and collect them from.

“We often see companies which have their data stolen end up on the dark web and opportunist criminals look to benefit. I would like to take this opportunity to remind all businesses around their obligations to customers in protecting their data from cyber criminals.

“In this case, thanks to the multi-agency approach and help from our partners, we have managed to stop an organised crime, which in 2018 had committed nearly 300 fraud offences at a cost of over a million pounds.”

In a report published in April, the Armor Threat Resistance Unit revealed the cost of stolen credit card information available to buy on dark web marketplaces.

The study explained how credit card details can be obtained for as little as $10 on hidden websites, and noted that criminals routinely steal cardholders’ account information by using skimming devices fitted to point of sale terminals.

These devices are widely available on the dark web for as little as $700, and can read and store card details while payments are being processed.

“At the low end, skimmers just record data into onboard storage, which adds the additional risk for the scammers of having to physically or remotely retrieve the data,” Armor Senior Threat Intel Analyst Corey Milligan wrote.

“The more expensive and sophisticated skimmers may connect to an off-site storage location in real-time that the criminal can access without being caught.”

Continue Reading

Articles

Hotel giant Marriott admits to massive data breach that may have hit 500 million customers

Published

on

Marriott admits to massive data breach

Hospitality group Marriott International has admitted that the records of 500 million if its guests may have been exposed in a massive data breach.

The world’s largest hotel chain today said hackers may have been able to steal the information after gaining access to its Starwood reservation system.

An unauthorised party is said to have first accessed the system back in 2014, but Marriott said it had only just identified the breach after its security tools detected that somebody was attempting to get into the database.

After conducting an investigation, the company said it had been able to establish that an “unauthorised party had copied and encrypted information”.

The hotel giant said it would now move to contact every customer whose details were on the Starwood system.

In a statement, the company said: “Marriott deeply regrets this incident happened. From the start, we moved quickly to contain the incident and conduct a thorough investigation with the assistance of leading security experts.

“Marriott is working hard to ensure our guests have answers to questions about their personal information with a dedicated website and call centre.

“We are supporting the efforts of law enforcement and working with leading security experts to improve. Marriott is also devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network.”

The company warned that cyber criminals could use the information they stole to send phishing emails to its customers, and cautioned that it would not send out attachments with messages it sends and would never request personal information by email.

Hotel groups have become increasingly popular targets for cyber criminals over the course of the past few years.

At the end of last month, the Radisson Hotel Group admitted that it had suffered a data breach that affected its loyalty and rewards programme customers.

“Upon identifying this issue Radisson Rewards immediately revoked access to the unauthorised person(s),” the company said.

“All impacted member accounts have been secured and flagged to monitor for any potential unauthorised behaviour.

“Radisson Rewards takes this incident very seriously and is conducting an ongoing extensive investigation into the incident to help prevent data privacy incidents from happening again in the future.”

In October last year, Hilton Hotels was forced to pay a $700,000 in the US and ordered to improve its security measures after the company was accused of mishandling two separate credit card data breaches.

Continue Reading

Articles

Google boasts of efforts to tackle online piracy in new report

Published

on

Google boasts of efforts to tackle online piracy

A new report from Google has revealed what the search giant is doing to prevent pirates from using its tools to make money from copyright infringement and the theft of intellectual property.

In the study, Google explains how it evaluated material published on 882 million webpages last year after receiving reports of intellectual property theft from rights holders.

The search giant said it took down 95% of these URLs, noting that it rejected some 54 million removal requests that were either incomplete, mistaken or abusive.

The company said it rejected more than 10 million search adverts last year due to concerns over copyright infringement, and noted that 98% of copyright claims on YouTube were made through its Content ID system in 2017.

Content ID allows creators to control their work without having to send takedown notices, Google said in the report, noting that over 90% of all claims made through the system result in monetisation, “generating significant revenue for YouTube partners”.

Explaining how it is working with governments and policymakers across the globe on new ways to tackle online piracy, Google lists a number of partnerships and voluntary agreements it has entered into over the past year with groups that protect rights holders’ interests, including the Centre National du Cinema and the French anti-piracy association ALPA, the Motion Picture Association and the Australian Digital Alliance (ADA).

Looking at how it rewards genuine rights holders, Google said it paid out more than $3 billion to YouTube account owners who had monetised their content last year, and had handed over $1.8 billion to the music industry between October 2017 and September 2018 in advertising revenue alone.

Commenting on the contents of the report in a blog post, Google Head of Copyright Cedric Manara wrote: “We invest significantly in the technology, tools and resources that prevent copyright infringement on our platforms.

“We also work with others across the industry on efforts to combat piracy. These efforts appear to be having an effect: around the world, online piracy has been decreasing, while spending on legitimate content is rising across content categories.”

The report was published after the Australian government last month vowed to crack down on search engines such as Google and Yahoo! that facilitate access to pirated content.

Outlining the contents of a new bill designed to tackle online piracy, the Australian government said: “An injunction against an online search engine provider is a reasonable, necessary and proportionate response to the need to protect the rights of creators and their licensees from infringing material being distributed to, or accessed by, persons in Australia.”

Continue Reading

Newsletter

Sign up for our mailing list to receive updates and information on events

Social Widget

Latest articles

Press review

Follow us on Twitter

Trending

Shares