Connect with us

Cyber

Regulators must make an example of British Airways following its massive data breach

Published

on

regulators must make an example of British Airways

Analysis carried out by risk consulting firm Kroll revealed earlier this month that reports of data beaches submitted by British organisations to the UK Information Commissioner’s Office (ICO) rose by 75% over the course of the past two years, suggesting businesses across the country were gearing up for a new era of transparency ushered in by Europe’s General Data Protection Regulation (GDPR), which came into force at the end of May. Under the terms of GDPR, organisations must report personal data breaches to the relevant local authority within 72 hours of becoming aware of any such incident, or face a large fine of up to €10 million ($11.7 million) or 2% of global turnover, whichever is greater.

This is intended to prevent companies from covering up major breaches in order to protect their corporate image or brand. Just how seriously businesses are taking the new rules was made clear earlier this month by the speed with which British Airways (BA) went public with news that hackers had managed to steal the credit card details and personal information of nearly 400,000 of its customers. But while the airline may have avoided being hit with a fine for failing to go public quickly enough, it could still face a significant financial penalty if the breach is found to be a result of its failure to secure its customers’ information properly.

The company was quick to claim it had been hit with an extremely “sophisticated malicious criminal attack”, and issued the usual platitudes about taking customers’ data security seriously that companies typically fall back on in these types of scenarios, despite all evidence pointing to the contrary. What made the BA breach particularly damaging for the firm was the fact that hackers managed to obtain full sets of customers’ credit card details, including CVV numbers. This would have meant that cyber criminals with access to the data would have been able to use it immediately to make purchases from pretty much anywhere on the internet, a fact that prompted a number of banks to take the unusual step of pre-emptively cancelling cards belonging to customers whose information may have been compromised.

As companies are not allowed to store CVV data on their systems, it is thought the hackers behind the attack harvested data from the firm’s checkout page in real time while customers were entering their card details. BA has said it is investigating the breach “as a matter of urgency”, and the UK’s National Crime Agency and National Cyber Security Centre are also assessing the attack. But regardless of their findings, it is vital the company faces a severe financial penalty for allowing its customers’ data to be compromised.

Firms the size of BA have the resources to ensure they stay one step ahead of cyber scammers, be they sophisticated or not. If they choose not to do so, they should face serious consequences. Online security experts from RiskIQ have said Russian hackers were responsible for the breach, pointing specifically at the Magecart group, which is said to have been behind a similar attack on the Ticketmaster website in June. RiskIQ researcher Yonathan Klijnsma, who analysed code from BA’s website and app, claimed to have discovered evidence of a “skimming” script designed to steal financial data from online payment forms.

“This particular skimmer is very much attuned to how British Airway’s payment page is set up, which tells us that the attackers carefully considered how to target this site instead of blindly injecting the regular Magecart skimmer,” Klijnsma wrote, seemingly suggesting the hackers may have taken advantage of weaknesses in BA’s IT infrastructure. Either way, it is alarming that the breach was allowed to continue for two weeks before it was detected and reported.

It is likely that BA will claim it was targeted by a hacking organisation so sophisticated and cunning that it would have been next to impossible for it prevent the attack, and that it should face no regulatory punishment as a consequence. However, if GDPR and similar legislation in other parts of the world are to stand any chance of forcing organisations to take better care of consumers’ data, it is surely in cases such as these where punishment should be applied. Major corporations will only start truly taking the security of their customers’ information seriously if they are forced to do so.

Allowing BA to wriggle off the hook after the latest in a long and sorry line of major data breaches at other companies simply sends the wrong message, and suggests GDPR will have no real impact. While most BA customers who had their details stolen might have been lucky enough to avoid having money taken from their credit cards after the breach, their personal details will now be doing the rounds on the dark web, leaving them exposed to identity thieves. Many could be dealing with the consequences for years to come, which is one of the main reasons BA should be made an example of. The ICO can and should make full use of its GDPR powers and hit BA where it hurts.

Continue Reading

Articles

One child sex offence involving online indecent images recorded every seven minutes in UK

Published

on

Child sex offence involving online indecent images

One child sex offence with an online element is recorded in the UK every seven minutes, according to new data obtained by the NSPCC.

After submitting freedom of information requests to police forces across the country for the latest figures relating to the sexual exploitation of children under the age of 18, the child protection charity discovered that recorded sex crimes against minors and young people have increased by more than 60% since 2014/15 to 76,204.

In cases in which the age of victims was provided, 16,773 offences were recorded against children aged 10 and under, while 341 were recorded against babies under the age of one.

Responding to the data, the NSPCC has called for the greater provision of specialised services for victims of child sexual exploitation across the UK, a more joined response to the problem from public services such as the police, healthcare providers, children’s services and advocacy groups, and the establishment of child-friendly spaces for children who have experienced sexual abuse.

Commenting on the figures, NSPCC boss Peter Wanless said: “Record numbers of child sexual offences means we are facing a nationwide crisis in the help available for tens of thousands of children.

“These children are bravely disclosing what happened to them but in too many cases there is not enough timely, joined up and child-friendly support. Instead they are shunted from overstretched service to service.

“We need a radical rethink in the way we help these young people, otherwise they could struggle for the rest of their lives with long term, deep seated trauma.”

Back in April, Britain’s Internet Watch Foundation (IWF) revealed that it took down more than 100,000 webpages containing indecent images of children and young people aged under 18 in 2018.

The IWF said it discovered and took down a record 105,047 webpages featuring indecent material last year, many of which contained hundreds of illegal images and videos.

This figure was up from 78,589 pages the organisation identified and removed from the internet in 2017.

Earlier this month, Europol warned in its latest Internet Organised Crime Threat Assessment (IOCTA)  that the increasing volume of child sexual exploitation material being distributed online is in danger of overwhelming law enforcement agencies.

“The online solicitation of children for sexual purposes remains a serious threat with a largely unchanged modus operandi,” the report read.

“Self-generated explicit material is more and more common, driven by growing access of minors to high quality smartphones and a lack of awareness of the risks.”

Continue Reading

Articles

Europol widens its partnership with US online security company Palo Alto Networks

Published

on

dismantling of tobacco smuggling operation

EU law enforcement agency Europol and US cyber security firm Palo Alto Networks have announced an expansion of their partnership in fighting online crime and working together to make the internet safer for members of the public, private firms and governments.

Building on an existing agreement between Palo Alto and Europol’s European Cybercrime Centre (EC3), the two organisations have jointly signed a new memorandum of understanding (MoU) that outlines how they will exchange threat intelligence data and details of cyber crime trends, as well as technical expertise and best practice.

The relationship between Europol and Palo Alto will be widened to include the dynamic exchange of cyber threat intelligence with an aim to improve knowledge on new adversary behaviours, malware families and attack campaigns across the globe.

Palo Alto said its Unit 42 threat intelligence team would be central to the extended partnership, noting that analysts from the department work to uncover and document new threats, and help organisations defend themselves from the latest cyber threats by sharing insight into the various tools, techniques and procedures that threat actors use.

Speaking after the MoU was signed, Head of EC3 Steven Wilson commented: “The close collaboration between law enforcement and the global industry is crucial for countering effectively the increasing threat that criminals pose to the safety of the cyber space.

“We are confident that working together with the leading companies in the cyber world will significantly enrich the toolbox of the global coalition against cyber crime.

“This kind of cooperation is the most effective way to protect citizens’ and businesses’ digital lives.”

Earlier this month, Europol’s latest Internet Organised Crime Threat Assessment (IOCTA) revealed that hackers are increasingly seeking out more profitable targets, and that ransomware remains the top online crime threat facing EU member states.

According to the study, while the number of ransomware attacks went down over the course of the past year, the criminals behind them are increasingly targeting more profitable victims with a view to causing greater economic damage.

Elsewhere, the report revealed that phishing and vulnerable remote desktop protocols are key primary malware infection vectors, and that data remains a key target for cyber criminals.

The study also found that the sheer volume of child sexual exploitation material being distributed online poses a threat of overwhelming law enforcement agencies.

Continue Reading

Articles

US police use sophisticated cryptocurrency tracing techniques to smash world’s largest dark web paedophile film network

Published

on

world’s largest dark web paedophile film network

US prosecutors have charged a South Korean man with running the world’s largest dark web distribution network for indecent images of children, according to a statement from the US Department of Justice (DoJ).

Jong Woo Son, 23, has also been charged and convicted in South Korea, where he is currently serving jail time for the crimes of which he stands accused in the US.

The Welcome to Video website, which is reported to have hosted more than 250,000 indecent videos featuring minors that users had downloaded more than one million times, charged paedophiles for access to abuse material using cryptocurrency Bitcoin.

Despite Son’s concerted efforts to avoid being discovered by law enforcement authorities, investigators were able to trace the server he used to host the site through sophisticated cryptocurrency tracking techniques.

An additional 337 site users were arrested across the US as well as in country’s including the UK, South Korea, Germany, Saudi Arabia, the United Arab Emirates, the Czech Republic, Canada, Ireland, Spain, Brazil and Australia.

As well as the arrest of users of the site, the operation to close down the three-year old paedophile film network also led to the rescue of least 23 child victims of abuse in the US, Spain and the UK.

Son was arrested in March last year in South Korea in an operation that resulted in the seizure some eight terabytes of child sexual exploitation material, which the DoJ said was one of the largest such discoveries of its kind.

Specialists at the US National Center for Missing and Exploited Children (NCMEC) examined the material and found the site contained over 250,000 unique videos, 45% of which featured new images that had not been previously known to exist.

The website offered access to this content in exchange for payment in Bitcoin.

Analysis of the server that hosted Welcome to Video revealed that the site had more than one million Bitcoin addresses, suggesting it had the capacity for at least one million users.

Commenting on the shutdown of the site, Homeland Security Investigations (HSI) Acting Executive Associate Director Alysa Erichs said: “Children are our most vulnerable population, and crimes such as these are unthinkable.

“Sadly, advances in technology have enabled child predators to hide behind the dark web and cryptocurrency to further their criminal activity.

“However, today’s indictment sends a strong message to criminals that no matter how sophisticated the technology or how widespread the network, child exploitation will not be tolerated in the United States.

“Our entire justice system will stop at nothing to prevent these heinous crimes, safeguard our children, and bring justice to all.”

Continue Reading

Newsletter

Sign up for our mailing list to receive updates and information on events

Social Widget

Latest articles

Press review

Follow us on Twitter

Trending

Shares