British Airways (BA) announced that 380,000 customer records containing credit card details had been taken during the cyber attack executed between 21 August and 5 September. As one of the major data breach in 2018, the cyber attack, though still fresh, has been speculated by many respectful cyber security researchers about the cause of the attack and responsibility of the airline to comply certain regulations.
The malicious code on the payment website may be the source.
The source of the attack, not disclosed by British airways and currently under investigation, is most likely the website applications rather than a direct hit to the BA’s database. Marcus Greenwood, head of UBIO, analysed the web page for payment process of British Airways and discovered that seven external domains that include files from analytics, customer service, and A/B testing tools loaded, external applications which “should not be present on web pages processing customer card data”.
Image shown in Greenwood’s medium post (https://medium.com/the-automator/so-about-that-ba-hack-a82e5701f095)
Image: Introduction of Al-Bassam’s complaint posted at https://gist.github.com/musalbas/15420ee8318347a76a0fb3a120825e00
Third-party applications become a major source of data breach
The third-party software applications has become a useful tool for hackers to infiltrate major companies. Another airline company, Delta airlines, experienced data breach because of third-party attack through an online chat application in April (BestBuy, Sears, and KMart are other major companies suffer data breach because of the same application). TicketMaster data breach in June is another third-party attack through an external website application. Whether it is an online form, chatbot, survey application, analytics tool, or a social media extension, software in supply-chain could cause major data breaches.
Falling to meet the regulations such as PCI-DSS (if credit card information is processed) or EU GDPR (if any personal information from an EU citizen is requested) may cause high penalties and major reputation loss. You have to be regularly monitor your company and any third-party vendor and software for compliance. For instance, checking whether your website is GDPR-compliant or not is vital to avoid high penalties that may be forced by EU and you may use free GDPR-compliant checker as a start.
Monitoring the cyber risk of your ecosystem that consists of your company and any third-party vendor is crucial. A tool such as Black Kite Cyber Risk Scorecard may help you tell your ecosystem risk. Note that your ecosystem multiplies your risk. Learn your score here.