The British Airways $229.72 million fine. What happened?
This week we heard the news of the $229.72 million British Airways GDPR fine. The fine they are facing is related to a 2018 data breach that affected thousands of BA (British Airways) customers and compromised data from over 380,000 card payments. The fine was issued due to BA’s failure to comply with GDPR rules. Now, I am sure that BA lawyers could lower fines like these, but the root of the problem is what matters most. Preventing the breach would not have only avoided the fine (obviously), but it would’ve prevented a much more costly outcome — thousands of dissatisfied customers that lost trust in the brand.
So, let’s dig a little deeper and discuss what exactly happened.
How did it happen?
In the past few months the BA 2018 data breach is a subject of many speculations and guessing. Even though British Airways haven’t released any information on what led to the attack, or how did the attackers compromise the data, many security experts and researchers quickly jumped on the topic.
Using what British Airways already disclosed, and some of their own research, experts have come to some conclusions about what might have lead to the breach. Some of them already assumed that there’s a connection between a third party JS files and the breach, others blamed an XSS vulnerability, however these assumptions are just that — assumptions. Truth is we don’t yet know what led to the attack, and probably we won’t find out anytime soon?
So, what do we know?
After the attack, BA disclosed that travel data hasn’t been compromised, but financial data including CVV numbers have. Companies are not supposed to store CVV numbers in a database, as mandated by PCI-DSS, but they process them at the time of the transaction. BA also disclosed that only transactions that happened during a specific period of time (August 21st to September 5th) were compromised.
Using these details as clues, RiskIQ security researcher, Yonathan Klijnsma, suspects that the attack was executed through a modified version of the Modernizr JavaScript library, where malicious code was injected on the payment page. Researchers discovered a JavaScript component related to the baggage claim page which allowed attackers to receive information to their server, once a user submits their input. Klijnsma also found a similar script in the mobile app. And BA earlier disclosed that mobile users were also affected by the breach.
The attack was also particularly targeted at British Airlines since it used specific weaknesses in BA’s scripting and data flow. The attackers even used a domain name analogous to a British Airways domain, to avoid raising an alarm.
The Ticketmaster breachearlier that year (June 2018) also attracted some attention after the BA breach. Experts and researchers link both attacks to the same group due to the similarity in the scripts they used and the modus operandi.
All in all, we know that attackers modified JavaScript file(s) without compromising functionality. But the way the attack payload got into that JavaScript file is still unknown and the attack vector could be many things: host compromised, storage compromised, a web vulnerability (or multiple), an internal source such as an employee etc.
What could be done to prevented future breaches?
Saying that the British Airways attack could’ve been prevented easily by incorporating one set of practices, or using a group of tools would undermine the whole cyber-security industry and would even underestimate the creativity and skills of the attackers. There are many attack vectors you need to secure your data against, ranging from network security, to social engineering to web application attacks. Usually, successful breaches are executed across multiple attack vectors by combining different vulnerabilities, and you should do your best to secure all of these vectors.
Security is all about preventing these vulnerabilities and trying to find them before a hacker does. In order to do that, you need to continually test your security using multiple methods.
Our expertise is web security, so we will focus only on web security testing. But you should look into your attack surface and implement a strategy to mitigate other attack vectors. You cannot just increase the height of one part of the fence, and leave gaps in another, you need to increase your security all around.
There are many ways to test the security of a website. Penetration testing, bug bounties, and automatic vulnerability scanners are just a few examples.You should combine all of them. Start with automatic scanning, since it’s quick and affordable. Probely, an automatic scanner allows you to scan your web application frequently and methodically for over 1000 web vulnerabilities and it allows you to manage their life-cycle. Since web vulnerabilities are the root cause of many of these breaches, a good automatic vulnerability scanner should detect some of the vulnerabilities and prevent a lot of the attacks. Even though automatic scanners won’t guarantee that you find all vulnerabilities or that your website won’t be hacked, it’s a good strategy to incorporate them and scan your website frequently.
Since the BA attack was executed on a web app, a web vulnerability could’ve been exploited (again, this is just an assumption). Having a solid application security testing strategy in place will definitely lower the chances of such an attack. We don’t know what kind of security measures were British Airlines taking, and the attack seems to be quite well-planned, so saying that one tool or the other could prevent such a breach would be plain inconsiderate. But having a good security strategy and using a combination of tools that allow you to deal with security at scale is crucial to lowering the risk.
Use your creativity to secure your data, attackers will surely use theirs to compromise it.