In the immediate aftermath, the question on everyone’s minds was, in the era of GDPR, whether the airline would see a substantial fine. While there have been a number of breaches since the introduction of the EU regulation, what was different in this instance was that the incident ticked every box in regards to personal data loss. While the jury is still out as to whether they will be served a fine or not (or indeed what size it might be), it has been one of the most notable breaches that has occurred since the enforcement of GDPR earlier this year, in May 2018.
It was only after the initial flurry of press that the cause of the breach was discovered. About a week after the breach was reported, a cybersecurity researcher managed to analyze code from BA's website and app from the time when the breach began. They discovered evidence of a "skimming" or “scraping” script designed to steal critical information, including financial data, from online payment forms.
“Skimming” is a method used by cybercriminals to capture sensitive cardholder information – such as name, credit card details, etc. The hack makes use of an increasingly common phenomenon, whereby large complex websites embed multiple pieces of code from other sources including third-party suppliers for data-capture and processing. The complexity means it is relatively simple to hide malicious code, as no-one really understands all the code in the website. In this case, the malicious code worked by grabbing data from BA's online payment form and then sending it to the hackers' server once a customer hit the "submit" button.
Businesses need to become more aware of the risks posed by complex websites and the use of third-party components and code.
While methods of creating a “skimming” attack are constantly evolving to remain undetected for as long as possible, businesses must try to stay one step ahead of cybercriminals by implementing technological solutions or services that are able to detect the threat.
Constant monitoring of the website and newly generated pages is critical. Looking for known bad scripts is one way to detect potential issues, but often the code is obfuscated to make it hard to find. Monitoring communication of critical information through the website is the other way to detect nefarious activity and then be able to block the communication and remove the infection. However, with the dynamic nature of complex websites, this task is not to be underestimated.
Of course, skimming is only one attack vector for websites. There are others such as XSS and session hijacking to name only a few but the outcome is the same – unauthorized access to critical information, often leading to financial fraud.
Clearswift’s deep-content inspection capabilities within the SECURE ICAP Gateway can be deployed in a ‘reverse proxy’ mode which will inspect and dynamically remove data which breaks policy from a web page (or a downloaded file.) The activation of a policy breach can result in a security event being raised for the IT department to act on. The policy might not just be to remove credit card or bank details, it might also be the removal of document meta-data. This is often found in datasheets and whitepapers which an organization uploads and publishes on their website and can contain information which is readily used in a cyber-attack, for example, the username of the document creator or their email address, the version of the software used and even printer details.
By implementing Clearswift’s technology, organizations can mitigate many of the attacks which are carried out against complex websites. Preventing data breach risks and protecting critical information, customers and employees as well as the organization's reputation.