The biggest cost of all, however, are the fines that a company may receive in the European Union - up to 4% of their annual revenue, in a worst case scenario. British Airways just got hit with one of the first of these very large fines.
On July 8, the Information Commissioner's Office (ICO), a data security watchdog in the UK, announced that it levied a £183 million (roughly $229 million) fine against British Airways (BA), citing a security breach in the summer of 2018 that allowed malicious hackers to skim credit card numbers from nearly 400,000 transactions. The fine landed under Europe’s new General Data Protection Rules, a sweeping set of laws designed to protect consumer data. Part of GDPR is assigning stronger penalties against companies that fail to protect customer data - in this case BA. BA actually got off easy; the fine totalled only 1.5% of annual revenue, well below the 4% maximum.
The only way to accomplish this is to monitor every snippet of code and every library in a web application or hybrid mobile application on a continuous basis and spot modifications to site code in near real-time. Savvy attackers could wreak tremendous damage even during brief windows of exposure during high traffic times such as Cyber Monday or Christmas Eve (to name two popular online shopping days)
It’s important to note that this attack on BA is different from phishing, where a bad actor creates a fake site to deceive users. In phishing attacks, the original site isn’t liable because it’s an imitation site and there was no issue with the site that is being imitated; rather, phishing attacks rely on the inability of unsuspecting users to notice that the site they are visiting may be fraudulent. For Magecart attacks like this one, the site operators bear considerable responsibility. BA’s code was served and “verified” by the original site and on the official mobile application, making BA the clearly responsible party.
And make no mistake - the Magecart attacks are only accelerating. Digital skimming is the fastest growing attack type. Cybercriminals are going where the money is. What’s your plan to stop them from hacking your site code - and putting you at risk of a massive fine?