GDPR: Priority 1 - Secure; Priority 2 - Compliance
Disclaimer: I am using some assumptions and I am limited by the information made available to me.
The recent announcement by the Information Commissioner's Office (ICO), in regard to the British Airways GDPR fine, has highlighted the failings of PCI DSS compliance in meeting the expectations of the regulators. As a result, in this event, it may not only be British Airways that have some responsibility in enabling this incident to occur in a PCI DSS compliant E-commerce operation. Whether that be a failing with the PCI DSS, or through a failing from the independent PCI assessment.
Reducing the compliance obligations, through the use of a redirect or embedded iFrame, excludes the majority of the basic Center for Internet Security (CIS) Critical Security Controls:
Consequently, the industry needs to take a fresh look at compliance, whilst business need to take Cyber/Infosec seriously, employing a structured and formalised approach.
Avoiding the minimal 'Ticking the Box' approach is essential for any organisation wanting to protect their customers from payment card fraud or identity theft and will help prevent considerable regulatory fines and damage to the reputation.
From the information available, it is fair to make the assumption that British Airways were not as negligent, as the fine suggests and that their are other factors that may have influenced the approach taken by British Airways. Consequently, these additional influences should have been considered by the regulators, especially given that this time of attack was not isolated to British Airways, impacting around 50,000 other businesses, in 2018
Okay, so this week we saw the regulators flexing their muscles, announcing that they planned to fine British Airways the mammoth sum of £183.39 million ($230.5 million, €204.4 million) This equates to 1.5% of their global turnover from the previous year (75% of the tier 1 fines (in breach of their controller obligations). In essence, this appears to be focused on the following 4 of the 99 articles:
Article 5. (f) Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality'). Article 24. Implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation.Article 25. Implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.Article 32. Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
As a result, from 22:58 BST August 21, 2018, until 21:45 BST September 5, 2018 approximately 500,000 customer details (including credit card details) were stolen.
On the face of it, British Airways were clearly culpable and deserve to receive such a fine. However, is there an argument for British Airways being a victim of Compliance Complacency?
What is Compliance Complacency?
The Information Commissioner's Office have stated that, in the event of a breach, they would take into account an organisation's Payment Card Industry Data Security Standard (PCI DSS) compliance. Consequently, are there other factors that should be considered, when affording culpability?
As E-Commerce interfaces, involved in the processing of customer cardholder data, they would have needed to be PCI DSS compliant and given that their were 500,000 compromised payments, over the fortnight, it is reasonable to presume that British Airways would have been deemed to be a level 1 Merchant (processing over 6 million card transactions per annum) and would, therefore, have needed to be independently assessed, by a PCI DSS Qualified Security Assessor, for PCI DSS compliance. Another point to note is that, at the time of the data breach, British Airways had been a PCI Security Standards Council (SSC) 'Participating Organisation' - Helping to demonstrate that they are an organisation who are proactive in their efforts to adequately safeguard their customers payment card data.
With these facts in mind, it is extremely likely that British Airways would have base-lined their E-commerce interfaces against the Card Brands & PCI SSC guidance and have been independently assessed annually, for PCI DSS compliance.
This being the case, how can this vulnerability have remained undetected since 2012?
Following the guidance, at the time of the breach, E-Commerce merchants were given the opportunity of reducing their PCI SSC compliance from circa 330 PCI DSS controls, to just the circa 22 controls of an SAQ A. In order to be eligible for this, a Merchant needs to ensure that no payment card details are processed through the website, with all processing being carried out via a PCI DSS compliant 3rd Party Payment Service Provider (PSP), but does not include the 6.5 & 6.6 common coding vulnerabilities and web application testing controls, or the identification of assets (data flows, network diagrams, etc.), vulnerability management, etc. For this, the E-commerce interfaces MUST employ an embedded iFrame or secure redirect.
Note: The changes from SAQ A v3.2 to SAQ A 3.2.1 included the additional of the 6.2 control requirement.
Let's say that British Airways had not implemented the full redirect or embedded iFrame, what other options did they have to reduce their compliance obligations?
SAQ A-EP: Partially Outsourced E-commerce Merchants Using a Third-Party Website for Payment Processing. This option brings the Merchant's website into scope, but still transfers the payment card processing to a PCI DSS compliant 3rd Party PSP. As a result, the Merchant's website is tested for common coding vulnerabilities (6.5 & 6.6).
Consequently, if British Airways had base lined their E-commerce interfaces against the PCI guidance, they would never have tested for this vulnerability or would have had their E-Commerce interfaces tested and independently validated by a QSA.
Throughout my Cyber/InfoSec career (including nearly 5 years as a QSA), I have always encouraged businesses to avoid 'Ticking A Box' for compliance and to look at your business, using the eyes of an attacker and to think in terms of RISK. No longer are corporate websites just for posting information, but are now used for the collection of personal data. Consequently, public-facing interfaces increase the risk for exposure of sensitive data.
The Magecart attackers are opportunists and are constantly looking for vulnerabilities that they can exploit. For this attack, the criminals discovered a work-around (Form-Jacking) where they were able to re-direct customer traffic, in order to harvest customer data. Therefore, if you are a business with an E-commerce interface who is relying on the PCI DSS validation, against the SAQ A controls, then I would highly recommend that you add the additional testing controls to identify whether you are running the same risks as faced by British Airways. Especially given that there was a purportedly a 78% increase of Formjacking attacks in 2018.
In addition, this fine notification demonstrates that business needs to develop and implement an effective cyber-security strategy, starting with a focus on the following 5 pillars:
Asset Management (including secure configuration management).Vulnerability Management.Privileged User Management.Security Information and Event Management (SIEM).Security Incident Management
You can't defend what you don't know and you can't effectively react to the presence of the ABNORMAL, if you don't understand what NORMAL looks like.
Avoid the "Security through Obscurity" approach!
With regard to the industry, I hope that the PCI SSC learn from this to develop the PCI DSS, so that this can better protect E-commerce businesses.
The British Airways cyber-attack was a significant event, which led to considerable losses for British Airways customers and considerable gains for the criminal fraternity. However, from the available data, there are a number of mitigating factors that are commonly applied across the E-commerce operations, based upon industry guidance.
This demonstrates the need for businesses to look beyond compliance and to recognise the importance of an effective Cyber/Info Security programme plays to your business. In 2013, during a 40 day engagement, to develop a suitable InfoSec framework for an overseas client, I first saw the benefits of having a tiered approach, so as to focus on simplifying security, using the CIS 20 CSCs. Only when a business has developed and implemented firm foundations, should they ever consider adding the additional layers for compliance: