Connect with us

Cyber

Regulators must make an example of British Airways following its massive data breach

Published

on

regulators must make an example of British Airways

Analysis carried out by risk consulting firm Kroll revealed earlier this month that reports of data beaches submitted by British organisations to the UK Information Commissioner’s Office (ICO) rose by 75% over the course of the past two years, suggesting businesses across the country were gearing up for a new era of transparency ushered in by Europe’s General Data Protection Regulation (GDPR), which came into force at the end of May. Under the terms of GDPR, organisations must report personal data breaches to the relevant local authority within 72 hours of becoming aware of any such incident, or face a large fine of up to €10 million ($11.7 million) or 2% of global turnover, whichever is greater.

This is intended to prevent companies from covering up major breaches in order to protect their corporate image or brand. Just how seriously businesses are taking the new rules was made clear earlier this month by the speed with which British Airways (BA) went public with news that hackers had managed to steal the credit card details and personal information of nearly 400,000 of its customers. But while the airline may have avoided being hit with a fine for failing to go public quickly enough, it could still face a significant financial penalty if the breach is found to be a result of its failure to secure its customers’ information properly.

The company was quick to claim it had been hit with an extremely “sophisticated malicious criminal attack”, and issued the usual platitudes about taking customers’ data security seriously that companies typically fall back on in these types of scenarios, despite all evidence pointing to the contrary. What made the BA breach particularly damaging for the firm was the fact that hackers managed to obtain full sets of customers’ credit card details, including CVV numbers. This would have meant that cyber criminals with access to the data would have been able to use it immediately to make purchases from pretty much anywhere on the internet, a fact that prompted a number of banks to take the unusual step of pre-emptively cancelling cards belonging to customers whose information may have been compromised.

As companies are not allowed to store CVV data on their systems, it is thought the hackers behind the attack harvested data from the firm’s checkout page in real time while customers were entering their card details. BA has said it is investigating the breach “as a matter of urgency”, and the UK’s National Crime Agency and National Cyber Security Centre are also assessing the attack. But regardless of their findings, it is vital the company faces a severe financial penalty for allowing its customers’ data to be compromised.

Firms the size of BA have the resources to ensure they stay one step ahead of cyber scammers, be they sophisticated or not. If they choose not to do so, they should face serious consequences. Online security experts from RiskIQ have said Russian hackers were responsible for the breach, pointing specifically at the Magecart group, which is said to have been behind a similar attack on the Ticketmaster website in June. RiskIQ researcher Yonathan Klijnsma, who analysed code from BA’s website and app, claimed to have discovered evidence of a “skimming” script designed to steal financial data from online payment forms.

“This particular skimmer is very much attuned to how British Airway’s payment page is set up, which tells us that the attackers carefully considered how to target this site instead of blindly injecting the regular Magecart skimmer,” Klijnsma wrote, seemingly suggesting the hackers may have taken advantage of weaknesses in BA’s IT infrastructure. Either way, it is alarming that the breach was allowed to continue for two weeks before it was detected and reported.

It is likely that BA will claim it was targeted by a hacking organisation so sophisticated and cunning that it would have been next to impossible for it prevent the attack, and that it should face no regulatory punishment as a consequence. However, if GDPR and similar legislation in other parts of the world are to stand any chance of forcing organisations to take better care of consumers’ data, it is surely in cases such as these where punishment should be applied. Major corporations will only start truly taking the security of their customers’ information seriously if they are forced to do so.

Allowing BA to wriggle off the hook after the latest in a long and sorry line of major data breaches at other companies simply sends the wrong message, and suggests GDPR will have no real impact. While most BA customers who had their details stolen might have been lucky enough to avoid having money taken from their credit cards after the breach, their personal details will now be doing the rounds on the dark web, leaving them exposed to identity thieves. Many could be dealing with the consequences for years to come, which is one of the main reasons BA should be made an example of. The ICO can and should make full use of its GDPR powers and hit BA where it hurts.

Continue Reading

Articles

Cyber crime cost worldwide economy $2.9 million every minute last year

Published

on

cyber crime cost worldwide economy $2.9 million

Online criminals cost the global economy $2.9 million every minute last year, according to a report from cyber security firm RiskIQ.

This added up to $1.5 trillion over the 12-month period.

Research conducted by the firm also reveals that security breaches cost major companies $25 per minute last year, and that hacks on cryptocurrency exchanges cost $1,930 every 60 seconds over the same period.

Elsewhere, the firm’s study showed that $17,700 was lost to phishing attacks every minute last year, while ransomware events will cost a projected $22,184 each 60 seconds in 2019.

According to RiskIQ, hackers employed a range of tactics last year, including malvertising, phishing and supply chain attacks that target e-commerce, such as the Magecart hacks that have increased by 20% over the past 12 months.

Commenting on his company’s findings, Lou Manousos, CEO of RiskIQ, said: “As the scale of the internet continues to proliferate, so does the threat landscape.

“By compiling the vast numbers associated with cybercrime in the past year, we made the research more accessible by framing it in the context of an ‘internet minute’.

“We are entering our third year defining the sheer scale of attacks that take place across the internet using the latest third-party research and our own global threat intelligence so that businesses can better understand what they’re up against on the open web.”

Manousos added that a wider understanding of the cyber threat landscape is required to tackle the problem, and that there will be more attacks using an ever-expanding range of technologies and strategies if the necessary security controls are not implemented.

“With the recent explosion of web and browser-based threats, organizations should look to what can happen in a matter of minutes and evaluate their current security strategy,” he said.

“Businesses must realise that they are vulnerable beyond the firewall, all the way across the open internet.”

Separately, a gang of six online romance fraudsters based in the UK have been convicted of conning two women out of £240,000 ($296,803).

Setting up fake profiles on internet dating sites, the gang members used the false identities of Kevin Churchill and Kevin Thompson, posing as wealthy businessmen to gradually convince the two women they were in relationships.

The gang members first demanded money on the pretence that they needed funds to pay vet’s bills for a sick dog, preying on their victims’ love for animals, and then gradually asked for larger sums.

The gang will be sentenced at Guildford Crown Court on 2 August.

Continue Reading

Articles

25 million Android devices infected with malware that swaps legitimate apps for bogus ad-filled versions

Published

on

25 million Android devices infected with malware

Security researchers have discovered a new form of malware designed to infect Android devices and replace legitimate apps with malicious versions that show fraudulent ads.

Analysts at Check Point Research, who have named the malware Agent Smith after a fictional character from the Matrix film franchise, believe the malicious software has already infected as many as 25 million devices across the US and India.

The malware, which disguises itself as a Google-related application, is said to exploit known Android vulnerabilities to automatically replace installed apps with malicious versions that show device users ads selected by hackers who profit financially from their views.

Check Point notes that while the software is currently only being used by cyber criminals to profit from ad views, it could be adapted to steal personal and banking information, or turn Android handsets into remote listening devices.

The online security firm has withheld the identity of the malicious actor behind the malware after passing information to Google and law enforcement agencies.

In a statement, Jonathan Shimonovich, Head of Mobile Threat Detection Research at Check Point Software Technologies, said: “The malware attacks user-installed applications silently, making it challenging for common Android users to combat such threats on their own.

“Combining advanced threat prevention and threat intelligence while adopting a ‘hygiene first’ approach to safeguard digital assets is the best protection against invasive mobile malware attacks like ‘Agent Smith’.

“In addition, users should only be downloading apps from trusted app stores to mitigate the risk of infection as third party app stores often lack the security measures required to block adware loaded apps.”

Earlier this month, CSIS Security Group published information about a separate piece of malware that it claims has infected more than 10 million Android devices made by South Korea’s Samsung.

The bogus Updates for Samsung app, which had been downloaded by millions of users before being pulled from the Google Play store, purported to manage firmware updates that improve and secure the running of Samsung devices.

In reality, the app simply directed users to an ad-packed website that charged for the download of firmware updates.

In a statement, Google said: “Providing a safe and secure experience is a top priority and our Google Play developer policies strictly prohibit apps that are deceptive, malicious, or intended to abuse or misuse any network, device, or personal data. When violations are found, we take action.”

Continue Reading

Articles

Hacked medical information now among most valuable data offered on dark web, new study reveals

Published

on

hacked medical information

Hackers are increasingly attempting to attack healthcare organisations in a bid to steal valuable data they hold on their IT systems, according to a new report from online security company Carbon Black.

A survey conducted by the firm revealed that 83% of healthcare organisations have witnessed an increase in cyber attacks over the course of the past year, and that two thirds (66%) said hacking attempts had become more sophisticated over the last 12 months.

The study found that stolen records from healthcare providers have become one of the most valuable data assets sold on dark web illicit marketplaces, and that such records can change hands for three times as much as general consumer personally identifiable information (PII).

According to the poll, Carbon Black’s healthcare customers saw an average of 8.2 attempted cyber attacks per endpoint each month last year, with 45% stating they had encountered hacking attempts in which the primary motivation was the destruction of data over the same period.

Analysis of stolen medical data offered on dark web marketplaces conducted by Carbon Black revealed that information that would allow criminals to pose as doctors was among the most expensive data listed, with malpractice insurance documents, medical diplomas, board recommendations, medical doctor licenses and DEA licenses on offer for as much as $500.

Meanwhile, forged prescription labels, sales receipts and counterfeit or stolen healthcare cards that could allow criminals to illegally obtain prescription drugs were found to sell for considerably less, and are typically being offered for between $10 and $120 per record.

Hacked health insurance login information is cheaper still, Carbon Black discovered, costing less than $3.25 per record on average.

Describing how cyber criminals are able to monetise the data they steal from healthcare organisations, the report says: “A hacker compromises the corporate network of a healthcare provider to find administrative paperwork that would support a forged doctor’s identity.

“The hacker then sells to a buyer or intermediary (who then sells to the buyer) for a high enough price to ensure a return on investment, but low enough to ensure multiple people buy the item.

“The buyer poses as the stolen doctor’s identity and submits claims to Medicare or other medical insurance providers for high-end surgeries.”

The report was published as US clinical laboratory Quest Diagnostics admitted that a third-party billing company may have exposed personal and medical records belonging to 11.9 million of its patients.

Quest said earlier this week that the American Medical Collection Agency (AMCA) had informed it that an unauthorised user had accessed its systems, which contained data on patients who had used Quest’s services.

Continue Reading

Newsletter

Sign up for our mailing list to receive updates and information on events

Social Widget

Latest articles

Press review

Follow us on Twitter

Trending

Shares