Connect with us

Cyber

Regulators must make an example of British Airways following its massive data breach

Published

on

regulators must make an example of British Airways

Analysis carried out by risk consulting firm Kroll revealed earlier this month that reports of data beaches submitted by British organisations to the UK Information Commissioner’s Office (ICO) rose by 75% over the course of the past two years, suggesting businesses across the country were gearing up for a new era of transparency ushered in by Europe’s General Data Protection Regulation (GDPR), which came into force at the end of May. Under the terms of GDPR, organisations must report personal data breaches to the relevant local authority within 72 hours of becoming aware of any such incident, or face a large fine of up to €10 million ($11.7 million) or 2% of global turnover, whichever is greater.

This is intended to prevent companies from covering up major breaches in order to protect their corporate image or brand. Just how seriously businesses are taking the new rules was made clear earlier this month by the speed with which British Airways (BA) went public with news that hackers had managed to steal the credit card details and personal information of nearly 400,000 of its customers. But while the airline may have avoided being hit with a fine for failing to go public quickly enough, it could still face a significant financial penalty if the breach is found to be a result of its failure to secure its customers’ information properly.

The company was quick to claim it had been hit with an extremely “sophisticated malicious criminal attack”, and issued the usual platitudes about taking customers’ data security seriously that companies typically fall back on in these types of scenarios, despite all evidence pointing to the contrary. What made the BA breach particularly damaging for the firm was the fact that hackers managed to obtain full sets of customers’ credit card details, including CVV numbers. This would have meant that cyber criminals with access to the data would have been able to use it immediately to make purchases from pretty much anywhere on the internet, a fact that prompted a number of banks to take the unusual step of pre-emptively cancelling cards belonging to customers whose information may have been compromised.

As companies are not allowed to store CVV data on their systems, it is thought the hackers behind the attack harvested data from the firm’s checkout page in real time while customers were entering their card details. BA has said it is investigating the breach “as a matter of urgency”, and the UK’s National Crime Agency and National Cyber Security Centre are also assessing the attack. But regardless of their findings, it is vital the company faces a severe financial penalty for allowing its customers’ data to be compromised.

Firms the size of BA have the resources to ensure they stay one step ahead of cyber scammers, be they sophisticated or not. If they choose not to do so, they should face serious consequences. Online security experts from RiskIQ have said Russian hackers were responsible for the breach, pointing specifically at the Magecart group, which is said to have been behind a similar attack on the Ticketmaster website in June. RiskIQ researcher Yonathan Klijnsma, who analysed code from BA’s website and app, claimed to have discovered evidence of a “skimming” script designed to steal financial data from online payment forms.

“This particular skimmer is very much attuned to how British Airway’s payment page is set up, which tells us that the attackers carefully considered how to target this site instead of blindly injecting the regular Magecart skimmer,” Klijnsma wrote, seemingly suggesting the hackers may have taken advantage of weaknesses in BA’s IT infrastructure. Either way, it is alarming that the breach was allowed to continue for two weeks before it was detected and reported.

It is likely that BA will claim it was targeted by a hacking organisation so sophisticated and cunning that it would have been next to impossible for it prevent the attack, and that it should face no regulatory punishment as a consequence. However, if GDPR and similar legislation in other parts of the world are to stand any chance of forcing organisations to take better care of consumers’ data, it is surely in cases such as these where punishment should be applied. Major corporations will only start truly taking the security of their customers’ information seriously if they are forced to do so.

Allowing BA to wriggle off the hook after the latest in a long and sorry line of major data breaches at other companies simply sends the wrong message, and suggests GDPR will have no real impact. While most BA customers who had their details stolen might have been lucky enough to avoid having money taken from their credit cards after the breach, their personal details will now be doing the rounds on the dark web, leaving them exposed to identity thieves. Many could be dealing with the consequences for years to come, which is one of the main reasons BA should be made an example of. The ICO can and should make full use of its GDPR powers and hit BA where it hurts.

Continue Reading

Articles

Bungling British cyber hacker jailed for nine months after making £5 in attack on UK National Lottery

Published

on

British cyber hacker jailed for nine months

A hapless hacker from Britain has been jailed for nine months after being paid the princely sum of £5 ($6.50) for providing fellow cyber criminals with a tool to attack the UK’s National Lottery website.

Londoner Anwar Batson, 29, was handed the prison term at Southwark Crown Court after admitting four offences under the Computer Misuse Act 1990 and one fraud charge.

Batson used a widely available hacking tool dubbed Sentry MBA to create a file that allowed other hackers to launch an attack on the National Lottery website back in November 2016, which at the time held nine million separate account profiles.

In July 2018, Daniel Thompson, 27, and Idris Kayode Akinwunmi, 21, were jailed for eight months and four months respectively at Birmingham Crown Court after they were convicted of using the tool to bombard the website with thousands of attempts to log in to customer accounts.

Batson, who used the name “Rosegold” online, provided the username and password of one lottery player to Akinwunmi, who stole £13 from the account before sending Batson £5.

Batson denied all knowledge of the scam when he was arrested back in May 2017, telling investigators from the UK’s National Crime Agency (NCA) that he was the victim of trolling and that his devices had been hacked.

Detectives were able to disprove Batson’s claims after discovering conversations on devices seized from him that related to the hacking, buying and selling of username and password lists, configuration files and personal details.

Investigators were also able locate a conversation with Akinwunmi in which Barton discussed the theft of the £13 from the compromised National Lottery account.

In an interview given to police after his arrest, Akinwunmi said: “I was just being silly and naïve really… It was just a naïve act to make a little bit of cash.”

Jailing Barton for nine months, Judge Jeffrey Pegden said the gravity of his offending did not result from the amount of money he obtained by deception, but from the fact he had targeted “a large honourable organisation”.

Speaking after sentencing, NCA Senior Investigating Officer Andrew Shorrock said: “Even the most basic forms of cyber crime can have a substantial impact on victims.

“No one should think cyber crime is victimless or that they can get away with it.

“The NCA will pursue and identify offenders and any conviction can be devastating to their futures.”

Continue Reading

Articles

Apple now scanning iCloud uploads for evidence of child abuse images, executive tells CES audience

Published

on

Apple now scanning iCloud uploads for evidence of child abuse images

An Apple executive has revealed that the iPhone maker is scanning content uploaded to its iCloud platform to make sure it does not contain child sexual exploitation images.

Speaking during a presentation at the CES event in Las Vegas, Apple Senior Director of Global Privacy Jane Horvath told delegates that images backed up to the service are now automatically scanned to help “screen for child sexual abuse material”.

In a discussion during which she defended Apple’s use of encryption to protect private information stored by users of its devices, Horvath argued against the need to create “back doors” for access to such data, suggesting that technology to scan for evidence of chid sexual exploitation content is a far more effective way to fight crime.

While Horvath did not go into detail about the technology Apple uses to scan for evidence of indecent images of children, the UK’s Daily Telegraph reports that the company recently updated its privacy policy with information about the automated scanning of images uploaded to iCloud.

“We have developed robust protections at all levels of our software platform and throughout our supply chain,” the policy reads.

“As part of this commitment, Apple uses image matching technology to help find and report child exploitation.

“Much like spam filters in email, our systems use electronic signatures to find suspected child exploitation.

“We validate each match with individual review. Accounts with child exploitation content violate our terms and conditions of service, and any accounts we find with this material will be disabled.”

Separately, the UK’s Internet Watch Foundation (IWF) said earlier this week that the surface web is being flooded with indecent images of children.

The charity, which works to remove child abuse images from the internet, said it dealt with a record number of cases in 2019 as illegal content increased by more than a quarter.

According to the IWF, its analysts processed 260,400 reports last year, which represented a 14% increase from the 229,328 cases it dealt with in 2018.

Almost 133,000 of these proved to involve images and/or videos of children being sexually abused, which was up from 105,047 the previous year.

Commenting on the figures for 2019, IWF CEO Susie Hargreaves said: “What’s really shocking is that it’s all available on the open internet, or ‘clear web’.

“That’s the everyday internet that we all use to do our shopping, search for information, and obtain our news.”

Continue Reading

Articles

Interpol identifies major international cryptojacking campaign during crackdown in Southeast Asia

Published

on

Interpol identifies major international cryptojacking campaign

Interpol has teamed up with law enforcement agencies in Southeast Asia to crack down on cryptojacking; an emerging form of cyber crime that involves offenders hijacking victims’ computer power to mine cryptocurrencies such as Bitcoin.

Cryptojackers exploit unsuspecting computer users’ processing power and bandwidth to mine virtual currency having infiltrated their systems using purpose-built malware.

The criminals behind cryptojacking conspiracies seek to exploit the blockchain systems that reward computers that validate cryptocurrency transfers with newly created virtual coins.

While hugely profitable, the mining of new virtual cryptocurrency coins on an industrial scale is highly resource intensive both in terms of computing power and energy, prompting cyber criminals to surreptitiously tap systems owned by third parties.

As well as seeking to stamp out the activity in Southeast Asia, Interpol’s Operation Goldfish Alpha also sought to raise awareness of what is a relatively unknown crime in the region, and  teach local law enforcement agencies how to identify it and mitigate against the threat it poses.

Using intelligence obtained from police and partners in the cyber security industry, Interpol and its partners identified a global cryptojacking campaign facilitated by the exploitation of a vulnerability in MikroTik routers during the operation.

Commenting on the success of the operation, Interpol cyber crime boss Craig Jones said: “When faced with emerging cybercrimes like cryptojacking, the importance of strong partnerships between police and the cybersecurity industry cannot be overstated.

“By combining the expertise and data on cyberthreats held by the private sector with the investigative capabilities of law enforcement, we can best protect our communities from all forms of cybercrime.”

At the beginning of December, two Romanian men were jailed for a total of 38 years by a court in Ohio for running a botnet that stole credit card information and installed crypto mining software on victims’ computers.

Prosecutors said Bogdan Nicolescu and Radu Miclaus, both 37, were part of a cyber crime syndicate referred to as the “Bayrob Group”.

The network is thought to have begun operations in 2007 with the development of malware distributed through phishing emails purporting to be from companies such as Western Union and antivirus firm Norton.

Once downloaded onto a victim’s systems, the malware would harvest banking information and harness processing power for the mining of cryptocurrencies.

Speaking after Nicolescu and Miclaus were jailed, FBI Special Agent in Charge Eric Smith commented: “These sentences handed down today reflect the dynamic landscape in which international criminals utilise sophisticated cyber methods to take advantage of and defraud, unsuspecting victims anywhere in the world.”

Continue Reading

Newsletter

Sign up for our mailing list to receive updates and information on events

Social Widget

Latest articles

Press review

Follow us on Twitter

Trending

Shares