British Airways Fined $233 Million – Are You Protected?
The risks of hidden third-party tags got a hard dollar value this week when British Airways was fined $233 million for letting malicious JavaScript on their website that stole up to 429,000 customers' credit card information. This marks a sharp turn in the fortunes of companies that don't take the runtime profile of their websites under constant review. This is also a wake-up call for companies that are betting on lax GDPR enforcement or hoping for small fines as justification for continued business as usual in their security measures.
This kind of data breach is increasing in popularity with hackers, becoming progressively more challenging to detect, and can have material financial consequences. In this article, I'll look at the nature of the attack, how you can protect your organization's site, the change in operations needed to remain secure, and how the learnings from this fine also apply to US-based companies.
Hidden tags primer
This breach relies on the extremely common use of third-party JavaScript tags running on websites. When coders build modern websites, they use a combination of HTML and JavaScript to power their web experiences. HTML is used for the static parts of a page, and JavaScript to provide advanced functionality like animations or other custom experiences. Almost all modern developers use libraries of JavaScript code to give them a jumpstart on development. You may have heard of some of the most common, like React, Angular, or jQuery. Instead of loading all of the code from these libraries on each page, they are typically loaded at runtime from a file that's download when the page is being loaded into the browser from a Content Delivery Network (CDN).
All of the modern martech and adtech technologies are also delivered this way through JavaScript including files and redirects. Google Analytics, DoubleClick, Marketo, and retargeting engines, analytics suites, social media integrations - all require JavaScript to run in the browser to operate. These are likewise loaded from remote servers.
The danger is that the JavaScript loaded from one of these remote locations can in turn load JavaScript from another party. These hidden tags can create a complex web of code-calling-code-calling-code that is difficult to predict and analyze.
Here's an example of what lies beneath the NFL's website. Source: Trackermap
The hack comes from the browser
In the BA attack, the hackers used this complex web of interconnected JavaScript files to load a specially crafted version of a common library on to British Airways' payment pages. The code looked very similar to the regular code. It allowed the payment process to continue successfully. It was very hard to detect.
But, every time a user clicked to process their payment, all of their form details - name, address, credit card, CVV - were being serendipitously sent to the hacker's website, too.
This hack turns the user's own browser - and their trust in the website they're using - against them.
There were no databases hacked. No files lifted from servers. All of this happened in the victim's own browser of choice.
How to protect your site
As the end user of a website, there's often very little that you can do to prevent an attack like this. You can turn off JavaScript, but that frequently makes websites completely nonfunctional or at least reduces their usability significantly. In this case, the user would not have been able to purchase a ticket on ba.com without JavaScript enabled.
Instead, the onus for this protection falls fully on the owner of the website, in this case British Airways, or, this were to happen to your organization: You.
It's critical that you have a view of all of the code executing in the runtime environment of your site, whether you placed it there, or one of your vendors introduced it into your environment. It is simply not enough to review the source code that your developers have produced. You need to know what the actual, live code-calling-code-calling-code daisy chain absolutely executes in the users' browsers.
Your IT and Web Operations team need to use a tool like this to review the live code every week, if not every day. In the ba.com example, the code ran for three months before discovery. Three months! A tool like this could have helped detect and shut down the hack the day it began.
Impact on businesses
As an industry, we've become complacent with data breaches and leaking customer data. The announcements seem to come and go, and we lose track of the impact they're having on business.
This fine from the UK's ICO highlights that even if the code didn't originate on your server, you are the company serving the code to your users and ultimately responsible for the breach. This fine is 1.5% of all of BA's revenue for 2018. Under the GDPR, organizations can be fined up to 4% of their annual revenue - so this may not be the largest fine we'll see.
In the US, we are not immune to these types of penalties. The California Consumer Privacy Act (CCPA) is introducing a $7,500 per-consumer fine model (which would be an astronomical $3.2 billion maximum fine in the ba.com case). Other privacy regulations being consider around the nation are likewise building in structure fines for poorly managing sites and data.
But you don't have to wait for new regulation. Equifax's credit rating was downgraded by Moody's as a response to the breathtaking $1.35 billion already lost due to their own breach.
Treating customer data is a responsibility we all take on when we engage in data collection and transactions across the internet. Beyond the moral imperative to treat this data securely and safely, failure to do so can have significant, long-term financial costs to your operation.
Next Steps
What should you do now?
First, reach out to your developers and IT leaders to make sure you have some technology in place to monitor and manage hidden third-party tags.
Second, make sure that you move the conversation about privacy and compliance into your customer experience design process. When you build UX for your customers, you're enabling the data collection and transactions that implicitly promise security and safety. Even as a marketing leader, you can't afford to simply assume that IT and legal will make everything ok.
Third, ask questions. What data are you collecting? What purpose does it have? Does asking for this information put you in a position to help the customer or just add to your possible data breach attack surface?
Brands that take these measures seriously and protect the trust their customers have placed in them will be the winners over the next decade. We can all learn from Apple's lead here, where they treat customer privacy, trust, and security as a fundamental feature of their products and services. Will you be a victim or a champion in this new normal? Thinking your company is immune or starting to worry only when the fines and breaches keep happening to other companies is not a good strategy. There could be hidden tags on your website running right now, by taking control to track these you are reducing the risk of them taking control of your customers' data.
View original content here
Related Crownpeak News: