Wednesday 17th July 2019

GDPR fines take off, highlighting the importance of a threat-led approach

The Fine

£183 million. That is the amount the UK Information Commissioner’s Office (ICO) reckons compromised British Airways (BA) customer data is worth. On 8 July, the ICO announced its intention to fine BA for a data breach that affected payment portals in both its website and mobile app between June and September 2018, compromising sensitive customer information such as names, addresses, and card information. The historic fine is the first since reporting breaches became mandatory under the terms of the General Data Protection Regulation (GDPR).

The ICO’s statement outlined that “poor security arrangements” contributed to the size of the fine. However, a fine of this size may have been avoidable with a threat-led and vulnerability-based approach to BA’s security. These two constituent components of risk could be used to mitigate the extent of the third – impact –[1] and thus protect from this sort of regulatory action.

Understanding the intersection of the threats you face and the vulnerabilities you have is critical to reducing the impact of cyber risk

The Villains

Security researchers at RiskIQ first identified what became known as the Magecart technique in October 2016. Magecart involves injecting code into vulnerable or third-party applications to skim information as it is entered into web forms, most typically customers entering payment card data. Although the BA breach formed part of a sophisticated operation, it reportedly started in June, when comparable operations targeting Ticketmaster were publicised. A comparison of cybercriminal forum chatter around the keyword “Magecart” overlaid with the numbers of our curated Intelligence Reports focused on this topic thus highlights the benefits of access to this raw information and the supporting analysis that complements it.

Magecart keyword mentions on cybercriminal forums (gold line) versus in Orpheus’ processed intelligence reports (blue bar)

The Implications

The early pioneers of new techniques are typically highly-sophisticated criminal actors (and of course nation-states, a subject on which we have previously written). However, the increase in chatter around the technique on cybercriminal forums also highlights how this medium makes these techniques more accessible to less-capable tiers of cybercriminals. For example, the screenshot below illustrates an attempt by one cybercriminal actor to sell a Magecart-style skimmer to fellow forum users.

A Russian-language cybercriminals forum post offers a Magecart skimmer for sale.

This threat-led approach is empowered further when combined with an understanding of which specific vulnerabilities that threat actors likely to target you typically look to exploit, and whether these are present on your network. Such an approach would also have benefitted Equifax, the US credit assessment agency that in September 2018 received a £500,000 fine for a 2017 breach that affected the personal data of 143 million people (including up to 15 million UK citizens). Although a regulator’s report identified various issues, the long-term presence of vulnerabilities that cybercriminals were known to be exploiting in the wild on Equifax’s public-facing infrastructure were the key determinant in the breach and subsequent fines.

Call to action

Contact us to find out more about Orpheus’ award-winning, threat-led approach to reducing cyber risk.

[1] The National Cyber Security Centre (NCSC) defines risk as a combination of threat, vulnerability and impact:

Get our latest cyber intelligence insights straight into your inbox

Fill out the short form below to subscribe to our newsletter so that you never miss out on our cyber intelligence insights and news.