Connect with us


Regulators must make an example of British Airways following its massive data breach



regulators must make an example of British Airways

Analysis carried out by risk consulting firm Kroll revealed earlier this month that reports of data beaches submitted by British organisations to the UK Information Commissioner’s Office (ICO) rose by 75% over the course of the past two years, suggesting businesses across the country were gearing up for a new era of transparency ushered in by Europe’s General Data Protection Regulation (GDPR), which came into force at the end of May. Under the terms of GDPR, organisations must report personal data breaches to the relevant local authority within 72 hours of becoming aware of any such incident, or face a large fine of up to €10 million ($11.7 million) or 2% of global turnover, whichever is greater.

This is intended to prevent companies from covering up major breaches in order to protect their corporate image or brand. Just how seriously businesses are taking the new rules was made clear earlier this month by the speed with which British Airways (BA) went public with news that hackers had managed to steal the credit card details and personal information of nearly 400,000 of its customers. But while the airline may have avoided being hit with a fine for failing to go public quickly enough, it could still face a significant financial penalty if the breach is found to be a result of its failure to secure its customers’ information properly.

The company was quick to claim it had been hit with an extremely “sophisticated malicious criminal attack”, and issued the usual platitudes about taking customers’ data security seriously that companies typically fall back on in these types of scenarios, despite all evidence pointing to the contrary. What made the BA breach particularly damaging for the firm was the fact that hackers managed to obtain full sets of customers’ credit card details, including CVV numbers. This would have meant that cyber criminals with access to the data would have been able to use it immediately to make purchases from pretty much anywhere on the internet, a fact that prompted a number of banks to take the unusual step of pre-emptively cancelling cards belonging to customers whose information may have been compromised.

As companies are not allowed to store CVV data on their systems, it is thought the hackers behind the attack harvested data from the firm’s checkout page in real time while customers were entering their card details. BA has said it is investigating the breach “as a matter of urgency”, and the UK’s National Crime Agency and National Cyber Security Centre are also assessing the attack. But regardless of their findings, it is vital the company faces a severe financial penalty for allowing its customers’ data to be compromised.

Firms the size of BA have the resources to ensure they stay one step ahead of cyber scammers, be they sophisticated or not. If they choose not to do so, they should face serious consequences. Online security experts from RiskIQ have said Russian hackers were responsible for the breach, pointing specifically at the Magecart group, which is said to have been behind a similar attack on the Ticketmaster website in June. RiskIQ researcher Yonathan Klijnsma, who analysed code from BA’s website and app, claimed to have discovered evidence of a “skimming” script designed to steal financial data from online payment forms.

“This particular skimmer is very much attuned to how British Airway’s payment page is set up, which tells us that the attackers carefully considered how to target this site instead of blindly injecting the regular Magecart skimmer,” Klijnsma wrote, seemingly suggesting the hackers may have taken advantage of weaknesses in BA’s IT infrastructure. Either way, it is alarming that the breach was allowed to continue for two weeks before it was detected and reported.

It is likely that BA will claim it was targeted by a hacking organisation so sophisticated and cunning that it would have been next to impossible for it prevent the attack, and that it should face no regulatory punishment as a consequence. However, if GDPR and similar legislation in other parts of the world are to stand any chance of forcing organisations to take better care of consumers’ data, it is surely in cases such as these where punishment should be applied. Major corporations will only start truly taking the security of their customers’ information seriously if they are forced to do so.

Allowing BA to wriggle off the hook after the latest in a long and sorry line of major data breaches at other companies simply sends the wrong message, and suggests GDPR will have no real impact. While most BA customers who had their details stolen might have been lucky enough to avoid having money taken from their credit cards after the breach, their personal details will now be doing the rounds on the dark web, leaving them exposed to identity thieves. Many could be dealing with the consequences for years to come, which is one of the main reasons BA should be made an example of. The ICO can and should make full use of its GDPR powers and hit BA where it hurts.

Continue Reading


Kenya becomes first nation in Africa to join Interpol’s International Child Sexual Exploitation database



Interpol’s International Child Sexual Exploitation database

Interpol has announced that Kenya has become the first African country to sign up to its International Child Sexual Exploitation (ICSE) database, an investigative tool that allows police to share information on child abuse cases.

In a statement, the international law enforcement agency revealed that Kenya’s participation in the initiative brings the number of nations connected to the database to 60.

The tool allows investigators in connected countries to analyse and compare uploaded indecent images of children, helping police identify victims and the paedophiles who abuse them.

An investigation conducted by the Kenyan Police Service’s Child Online Cyber Centre in cooperation with Interpol last month resulted in the arrest of three suspected paedophiles in the greater Nairobi area.

The operation resulted in one child being removed from harm, and a number of indecent images and videos being uploaded to the ICSE database, providing material for a training session for specialised officers from Kenya’s Online Cyber Centre.

“The connection to ICSE is a vital step in being able to correspond with other countries on global cases,” Interpol said.

“Since connecting, Kenya has been an active user of the database, and has already provided expertise on African languages heard in videos submitted by other agencies, proving Kenya’s dedication to protecting children from harm both within its borders and abroad.”

According to Interpol, the ICSE database has led to the identification of 19,481 victims of child sexual exploitation across the globe since it was launched in 2009.

The database allows specialised officers to retrieve clues from uploaded mages, allowing them to link videos and pictures from multiple sources.

In August of last year, police in Spain arrested a paedophile and rescued five of his victims just six days after Australian investigators added a number of videos to the database.

Officers from Queensland’s Task Force Argos uploaded the material, which featured young girls aged between five and seven, after finding them on a paedophile site on the dark web.

After Interpol analysts established that the images may have been created in Spain, the country’s Central Cybercrime Unit pinpointed a neighbourhood near Madrid.

Examination of the hands of a man who appeared in some of the images led investigators to believe he may be a mechanic, narrowing the search to workshops in a specific area, and the eventual arrest of a 46-year-old Romanian national, who was identified thanks to a tattoo on his arm.

Continue Reading


EU gets new powers to hit international cyber hackers with sanctions



hit international cyber hackers with sanctions

The EU is now able to hit international cyber criminals who pose a threat to member states with targeted sanctions as part of efforts to restrict hackers’ ability to knock out key infrastructure.

A new legal mechanism agreed this morning by the European Council can be used to target hackers regardless of where in the world they are based.

It provides the EU with the power to freeze assets held by such offenders in member states, and to prevent them from entering the 28-nation bloc.

The new framework can also be used to target any individuals who provide “financial, technical or material support for such attacks or who are involved in other ways”, the Council said in a statement issued this morning.

The new measures were signed off today in Brussels after the Netherlands and the UK lobbied for greater powers for members states to take swifter action against the originators of cyber attacks with the potential to bring down crucial national infrastructure, such as the May 2017 WannaCry ransomware outbreak.

Welcoming the introduction of the new sanctions regime, UK Foreign Secretary Jeremy Hunt commented: “This is decisive action to deter future cyber-attacks. For too long now, hostile actors have been threatening the EU’s security through disrupting critical infrastructure, attempts to undermine democracy and stealing commercial secrets and money running to billions of euros.

“We must now look to impose travel bans and asset freezes against those we know have been responsible for this.”

The new powers were passed into EU law after it was reported that an international coalition of law enforcement agencies had broken up a cyber crime network that used malware in an attempt to steal $100 million from more than 41,000 victims.

Members of the gang, which was made up of hackers who advertised their skills on internet forums, are said to have used the GozNym malware to gain access to victims’ online banking login credentials, before using these to gain unauthorised access to their online accounts to drain them of money.

The funds that were stolen would then be laundered using US and foreign beneficiary bank accounts controlled by gang members.

A criminal indictment has now been returned by a US federal grand jury in Pittsburgh charging 10 members of the network with a number of cyber crime-related offences.

US Attorney Scott Brady commented: “The collaborative and simultaneous prosecution of the members of the GozNym criminal conspiracy in four countries represents a paradigm shift in how we investigate and prosecute cyber crime.

“Cyber crime victimises people all over the world. This prosecution represents an international cooperative effort to bring cyber criminals to justice.”

Continue Reading


Spanish police warn ‘self-produced’ indecent images of children could fall into hands of online paedophiles



‘self-produced’ indecent images

Police in Spain have launched a new operation intended to crack down on the distribution of self-generated indecent images of children.

The country’s national police force is targeting images that were self-produced by minors and published on social media platforms such as Instagram, Periscope, Twitter and YouTube.

Although investigators in Spain believe the majority of self-generated indecent images of children are posted by minors in a bid to attract more followers, it is suspected that in some cases the creators of such material are being contacted and encouraged by adult paedophiles.

Spanish officers said they are focusing on images featuring minors aged between two and 13, adding that the older of these children are publishing this type of material to increase their social media audience.

While police said images and videos featuring younger children had typically been innocently created by relatives of the minors in safe environments, the nature of the material made it likely that it could be shared by online paedophiles once it had been published on social media.

Policia Nacional said it launched an investigation after receiving information about indecent images of children originating from Spain from partner law enforcement agencies in the US, leading the force to identify 110 minors between the ages of two and 13 who featured in such content.

Parents of older children spoken to by police said that while they were aware that their offspring were using social media platforms, they had no idea they were posting indecent material on their channels.

Policia Nacional said that sharing indecent images online is always a mistake, and that doing so could result in sextortion attempts, online bullying, and pictures falling into the hands of online paedophiles.

“Parents should create a climate of trust with their children to deal with these issues and inform them of the risks and consequences of providing personal information or sending photographs and videos to other people, even if they are friends,” the force said.

Last month, the UK-based Internet Watch Foundation (IWF), which works to remove child abuse images from the internet, revealed that more than a quarter (27%) of the content it assessed in the first six months of last year was “self-generated”, and predominantly involved girls aged between 11 and 13.

“This can have serious repercussions for young people and we take this trend very seriously,” the organisation said.


Continue Reading


Sign up for our mailing list to receive updates and information on events

Social Widget

Latest articles

Press review

Follow us on Twitter