Yesterday the UK’s Information Commissioner Office proposed record setting fines under GDPR for £183 million to British Airways, followed by today’s announcement of a proposed £99 million fine to Marriott International following their data breaches.
ICO representatives clearly stated their intention of enforcing GDPR fines for these breaches is to send a message to organizations that they are to be held responsible for personal information and data. The ICO states the GDPR legislation clearly mandates organizations to both consider how data is stored and what happens to it over the entire lifecycle.
What Went Wrong?
In both cases the ICO cites significant lapses in information security practices for the reasoning behind the fine. Without knowing the specifics we can still infer several facts from the BA breach.
These 22 lines of code proceeded to load external resources that were used to skim the payments forms for credit card details from over 380,000 victims.
Software Supply Chain Attack
Fundamentally, from an engineering standpoint, this could be classed under the family of Software Supply Chain attacks due to the fact a 3rd party library was tainted in the BA case. Setting aside the obvious questions of PCI compliance with payment forms loading external code, this illustrates how deceptively hard it can be to observe changes in one’s supply chain.
These sort of attacks do not rely on just a single weakness in the chain, but typically are a result of several corresponding incidents. In this case, an unpatched version of Magento was leveraged to proceed (Read more...)
*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Ilkka Turunen. Read the original post at: https://blog.sonatype.com/gdpr-gets-teeth-british-airways-and-marriott-fined