GDPR fines take off, highlighting the importance of a threat-led approach
The Fine
£183 million. That is the amount the UK Information Commissioner’s Office (ICO) reckons compromised British Airways (BA) customer data is worth. On 8 July, the ICO announced its intention to fine BA for a data breach that affected payment portals in both its website and mobile app between June and September 2018, compromising sensitive customer information such as names, addresses, and card information. The historic fine is the first since reporting breaches became mandatory under the terms of the General Data Protection Regulation (GDPR).
The ICO’s statement outlined that “poor security arrangements” contributed to the size of the fine. However, a fine of this size may have been avoidable with a threat-led and vulnerability-based approach to BA’s security. These two constituent components of risk could be used to mitigate the extent of the third – impact –[1] and thus protect from this sort of regulatory action.
Understanding the intersection of the threats you face and the vulnerabilities you have is critical to reducing the impact of cyber risk
The Villains
Security researchers at RiskIQ first identified what became known as the Magecart technique in October 2016. Magecart involves injecting code into vulnerable or third-party applications to skim information as it is entered into web forms, most typically customers entering payment card data. Although the BA breach formed part of a sophisticated operation, it reportedly started in June, when comparable operations targeting Ticketmaster were publicised. A comparison of cybercriminal forum chatter around the keyword “Magecart” overlaid with the numbers of our curated Intelligence Reports focused on this topic thus highlights the benefits of access to this raw information and the supporting analysis that complements it.
Magecart keyword mentions on cybercriminal forums (gold line) versus in Orpheus’ processed intelligence reports (blue bar)
The Implications
The early pioneers of new techniques are typically highly-sophisticated criminal actors (and of course nation-states, a subject on which we have previously written). However, the increase in chatter around the technique on cybercriminal forums also highlights how this medium makes these techniques more accessible to less-capable tiers of cybercriminals. For example, the screenshot below illustrates an attempt by one cybercriminal actor to sell a Magecart-style skimmer to fellow forum users.
A Russian-language cybercriminals forum post offers a Magecart skimmer for sale.
This threat-led approach is empowered further when combined with an understanding of which specific vulnerabilities that threat actors likely to target you typically look to exploit, and whether these are present on your network. Such an approach would also have benefitted Equifax, the US credit assessment agency that in September 2018 received a £500,000 fine for a 2017 breach that affected the personal data of 143 million people (including up to 15 million UK citizens). Although a regulator’s report identified various issues, the long-term presence of vulnerabilities that cybercriminals were known to be exploiting in the wild on Equifax’s public-facing infrastructure were the key determinant in the breach and subsequent fines.
Call to action
Contact us to find out more about Orpheus’ award-winning, threat-led approach to reducing cyber risk.
Get our latest cyber intelligence insights straight into your inbox
Fill out the short form below to subscribe to our newsletter so that you never miss out on
our cyber intelligence insights and news.
Privacy Overview
This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
Strictly Necessary Cookies
These cookies are strictly necessary to provide you with services available through our website and to use some of its features. These must be enabled at all times, so that we can save your preferences.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
If you do not enable Strictly Necessary Cookies, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
3rd Party Cookies
This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.
Keeping this cookie enabled helps us to improve our website.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
Please enable Strictly Necessary Cookies first so that we can save your preferences!
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
Request Demo Access
Fill out your details below and we'll be in touch to arrange demo access for you as soon as
possible.