GDPR Gets Teeth: British Airways and Marriott Fined

Yesterday the UK’s Information Commissioner Office proposed record setting fines under GDPR for £183 million to British Airways, followed by today’s announcement of a proposed £99 million fine to Marriott International following their data breaches.

ICO representatives clearly stated their intention of enforcing GDPR fines for these breaches is to send a message to organizations that they are to be held responsible for personal information and data. The ICO states the GDPR legislation clearly mandates organizations to both consider how data is stored and what happens to it over the entire lifecycle.

What Went Wrong?

In both cases the ICO cites significant lapses in information security practices for the reasoning behind the fine. Without knowing the specifics we can still infer several facts from the BA breach.

It was widely reported to be in the family of Magekart attacks which saw old versions of an ecommerce platform called Magento automatically exploited. In most cases, just as in BA’s, they injected extra malicious code at the end of a widely used javascript library (modernizr).

These 22 lines of code proceeded to load external resources that were used to skim the payments forms for credit card details from over 380,000 victims.

Software Supply Chain Attack

Fundamentally, from an engineering standpoint, this could be classed under the family of Software Supply Chain attacks due to the fact a 3rd party library was tainted in the BA case. Setting aside the obvious questions of PCI compliance with payment forms loading external code, this illustrates how deceptively hard it can be to observe changes in one’s supply chain.

These sort of attacks do not rely on just a single weakness in the chain, but typically are a result of several corresponding incidents. In this case, an unpatched version of Magento was leveraged to proceed (Read more...)