Connect with us

Cyber

Regulators must make an example of British Airways following its massive data breach

Published

on

regulators must make an example of British Airways

Analysis carried out by risk consulting firm Kroll revealed earlier this month that reports of data beaches submitted by British organisations to the UK Information Commissioner’s Office (ICO) rose by 75% over the course of the past two years, suggesting businesses across the country were gearing up for a new era of transparency ushered in by Europe’s General Data Protection Regulation (GDPR), which came into force at the end of May. Under the terms of GDPR, organisations must report personal data breaches to the relevant local authority within 72 hours of becoming aware of any such incident, or face a large fine of up to €10 million ($11.7 million) or 2% of global turnover, whichever is greater.

This is intended to prevent companies from covering up major breaches in order to protect their corporate image or brand. Just how seriously businesses are taking the new rules was made clear earlier this month by the speed with which British Airways (BA) went public with news that hackers had managed to steal the credit card details and personal information of nearly 400,000 of its customers. But while the airline may have avoided being hit with a fine for failing to go public quickly enough, it could still face a significant financial penalty if the breach is found to be a result of its failure to secure its customers’ information properly.

The company was quick to claim it had been hit with an extremely “sophisticated malicious criminal attack”, and issued the usual platitudes about taking customers’ data security seriously that companies typically fall back on in these types of scenarios, despite all evidence pointing to the contrary. What made the BA breach particularly damaging for the firm was the fact that hackers managed to obtain full sets of customers’ credit card details, including CVV numbers. This would have meant that cyber criminals with access to the data would have been able to use it immediately to make purchases from pretty much anywhere on the internet, a fact that prompted a number of banks to take the unusual step of pre-emptively cancelling cards belonging to customers whose information may have been compromised.

As companies are not allowed to store CVV data on their systems, it is thought the hackers behind the attack harvested data from the firm’s checkout page in real time while customers were entering their card details. BA has said it is investigating the breach “as a matter of urgency”, and the UK’s National Crime Agency and National Cyber Security Centre are also assessing the attack. But regardless of their findings, it is vital the company faces a severe financial penalty for allowing its customers’ data to be compromised.

Firms the size of BA have the resources to ensure they stay one step ahead of cyber scammers, be they sophisticated or not. If they choose not to do so, they should face serious consequences. Online security experts from RiskIQ have said Russian hackers were responsible for the breach, pointing specifically at the Magecart group, which is said to have been behind a similar attack on the Ticketmaster website in June. RiskIQ researcher Yonathan Klijnsma, who analysed code from BA’s website and app, claimed to have discovered evidence of a “skimming” script designed to steal financial data from online payment forms.

“This particular skimmer is very much attuned to how British Airway’s payment page is set up, which tells us that the attackers carefully considered how to target this site instead of blindly injecting the regular Magecart skimmer,” Klijnsma wrote, seemingly suggesting the hackers may have taken advantage of weaknesses in BA’s IT infrastructure. Either way, it is alarming that the breach was allowed to continue for two weeks before it was detected and reported.

It is likely that BA will claim it was targeted by a hacking organisation so sophisticated and cunning that it would have been next to impossible for it prevent the attack, and that it should face no regulatory punishment as a consequence. However, if GDPR and similar legislation in other parts of the world are to stand any chance of forcing organisations to take better care of consumers’ data, it is surely in cases such as these where punishment should be applied. Major corporations will only start truly taking the security of their customers’ information seriously if they are forced to do so.

Allowing BA to wriggle off the hook after the latest in a long and sorry line of major data breaches at other companies simply sends the wrong message, and suggests GDPR will have no real impact. While most BA customers who had their details stolen might have been lucky enough to avoid having money taken from their credit cards after the breach, their personal details will now be doing the rounds on the dark web, leaving them exposed to identity thieves. Many could be dealing with the consequences for years to come, which is one of the main reasons BA should be made an example of. The ICO can and should make full use of its GDPR powers and hit BA where it hurts.

Continue Reading

Articles

EU prepares for WannaCry-style hacking attempts ahead of European Parliament elections in May

Published

on

EU prepares for WannaCry-style hacking attempts

Europol has announced that law enforcement agencies across EU member states are preparing to counter cross-border hacking attempts ahead of the European Parliament elections at the end of May.

Bracing for cyber attacks on democratic institutions, think tanks and non-profit organisations ahead of the vote, the European Council has formally adopted an EU Law Enforcement Emergency Response Protocol, which Europol said would serve as a tool to support law enforcement authorities across the union by providing an immediate response to major cross-border hacking attempts.

The protocol, which gives Europol’s European Cybercrime Centre (EC3) a central role in responding to these types of threats, is intended to offer member states with a rapid assessment of hacking attempts, as well as the ability to share critical information in a secure and timely manner.

Under the terms of the protocol, EC3 will help member state law enforcement agencies coordinate the international aspects of any investigation into cross-border hacking attempts.

The adoption of the protocol comes after major cyber attacks such as WannaCry and NotPetya that targeted national infrastructure and private businesses across Europe and elsewhere in 2017 demonstrated that member states were insufficiently prepared for the evolving nature of hackers’ methods.

Noting that the prospect of a major cyber attack having repercussions in the physical world is no longer the stuff of science fiction, Europol said the protocol complements existing EU crisis management mechanisms, and will help law enforcement agencies across tackle cyber security events of a malicious and suspected criminal nature.

Commenting on the adoption of the protocol, Wil van Gemert, Deputy Executive Director of Operations at Europol, said in a statement: “It is of critical importance that we increase cyber preparedness in order to protect the EU and its citizens from large scale cyber-attacks.

“Law enforcement plays a vital role in the emergency response to reduce the number of victims affected and to preserve the necessary evidence to bring to justice the ones who are responsible for the attack.”

The protocol was launched after the UK’s National Audit Office (NAO) last week criticised the British government’s efforts to prepare for major cyber attacks from hacking groups or hostile nation states such as Russia.

The NAO said Britain remains vulnerable to hacking attempts that could affect crucial infrastructure, domestic networks, and businesses.

NAO chief Amyas Morse commented: “The government has demonstrated its commitment to improving cyber security.

“However, it is unclear whether its approach will represent value for money in the short term and how it will prioritise and fund this activity after 2021.”

Continue Reading

Articles

Online fraudsters tricking UK Instagram users out of millions through bogus ‘get rich quick’ schemes

Published

on

fraudsters tricking UK Instagram users

Scammers are using adverts for sham investment schemes to con money out of UK Instagram users, a British anti-fraud agency has warned.

Action Fraud, the UK’s national reporting centre for fraud and cyber crime, has cautioned users of the photo-sharing platform after hundreds of people got in touch with it to say they had lost money after falling for bogus “get rich quick” investment schemes advertised  on the Facebook-owned service.

In total, 365 reports were made to Action Fraud about these types of scams between October 2018 and February 2019.

Victims who contacted the organisation lost £3,168,464 ($4.2 million) over this period, which works out to an average loss of around £8,900 per person.

The number of people targeted by the scam in the UK is likely to be much higher, as some victims choose not notify authorities after falling for this type of fraud, often owing to the embossment of having done so.

After convincing Instagram users to sign up for bogus schemes, online fraudsters typically ask for an initial £600 “investment” to be sent via bank transfer, which they claim will be multiplied by many times over just one 24-hour period.

Once victims have handed over their initial investment, they are soon sent fake screenshots by fraudsters showing how their money has grown, and are told to send a fee to release their profits.

After sending this second payment, victims receive no further contact from the fraudsters behind the scam.

Warning members of the British public about the fraud, Inspector Paul Carroll of Action Fraud said: “Opportunistic fraudsters are taking advantage of unsuspecting victims who are going about their day-to-day lives on social media.

“It’s vital that you follow the simple steps below to make sure you don’t fall victim to this fraud.

“If you think you have been a victim, contact Action Fraud.”

Action Fraud has offered advice on how to avoid falling victim to this type of social media scam, cautioning user of Instagram and other platforms never to send money to people they do not know whom they have met online.

Last week, Action Fraud warned private tenants over online deposit scams, which involve bogus landlords tricking victims into handing over money to rent a home before disappearing with their cash.

The agency said it has received reports of scammers claiming to be online landlords to trick would-be tenants into sending money on the pretence they have secured a home to live in.

Prior to viewing the property, scammers ask victims to hand over a deposit along with one month’s rent upfront, before making off with the money.

Continue Reading

Articles

US and European investigators knock xDedic cyber crime marketplace offline

Published

on

xDedic cyber crime marketplace

A coalition of law enforcement authorities from the US and Europe have taken down an illicit online marketplace that is said to have generated tens of millions of dollars through the sale of access to compromised computers and consumer data that could be used for the purposes of identity theft and other types of fraud.

Prosecutors in Florida, the FBI and Europol were among the organisations that last week targeted servers and domain names linked to the xDedic Marketplace, which is thought to have been run by a group of Russian-speaking cyber hackers.

Users of the marketplace, which operated on both the dark and surface web, could run searches for compromised computer credentials sorted by a number of parameters, including price, geographic location and operating system.

Last Thursday, investigators in Belgium and Ukraine effectively knocked the website offline after executing a number of seizure orders.

The investigation that led to last week’s action uncovered evidence that the website may have facilitated fraud worth more than $68 million, and that its administrators ran a number of servers in locations across the globe in a bid to avoid the marketplace being taken down.

The platform’s administrators also used cryptocurrency Bitcoin to conceal the identities of its administrators, buyers, and sellers, and to shield the location of the servers through which it was powered.

In a statement, the US Prosecutor’s Office for the Middle District of Florida said: “The victims span the globe and all industries, including local, state, and federal government infrastructure, hospitals, 911 and emergency services, call centres, major metropolitan transit authorities, accounting and law firms, pension funds, and universities.”

The operation that led to the takedown of xDedic included the participation of the IRS, US Immigration and Customs Enforcement’s Homeland Security Investigations, the Florida Department of Law Enforcement, the Federal Prosecutor’s Office and the Federal Computer Crime Unit of Belgium, the National Police and the Prosecutor General’s Office of Ukraine, and the German Bundeskriminalamt.

Separately, Europol has announced that the takedown of webstresser.org in April of last year has provided a wealth of information that has allowed Dutch and British investigators to track down the perpetrators of Distributed Denial of Service (DDoS) attacks.

Webstresser.org, which was said to have been behind more than four million DDoS attacks on businesses across the globe, was the largest marketplace of its kind on the internet.

Continue Reading

Newsletter

Sign up for our mailing list to receive updates and information on events

Social Widget

Latest articles

Press review

Follow us on Twitter

Trending

Shares