Regulators are cracking the whip: Equifax settlements and British Airways fines are just the beginning

It is 2019. If you still think your website, API or mobile app is immune to cyberattacks, we wish you the very best of luck. Most high-profile data breaches, just like the Equifax data breach, are a result of inadequate or antiquated web application security. In the case of Equifax, it was a known Apache Struts vulnerability, and in the case of British Airways, the evidence points to client-side JavaScript attacks. Some online businesses think the cost of a data breach will be crippling the business. While the fines imposed on British Airways and the reported Equifax settlement may not be crippling, they are a financial bruise with the potential to fracture a company’s brand reputation and consumer confidence.

The explosion of user data has created many new business models. Corporations, big and small, have profited handsomely by monetizing insights into users’ behaviors and their sensitive data. Bots have lowered the cost of attacks for cybercriminals over the years. But user data protection has never been front and center for companies. The status quo is about to change.

When the Equifax and British Airways breaches happened in 2017, it seemed like regulators would let them off easy with a slap on the wrist. But the FTC in the U.S and the Information Commissioner's Office (ICO) in the UK enforcing GDPR are imposing meaningful fines, and holding these large corporations accountable for breaches. The true cost of breaches involving sensitive user data is hard to estimate, and the ballooning fines don’t make it any easier. Finally, regulators are sending the right signals. And businesses around the globe are beginning to understand that compliance alone is not enough!

The Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau (CFPB) are reportedly close to levying a $700M fine on Equifax. This comes within eleven days after the ICO fined British Airways $229M for failing to protect consumer data. The Equifax breach was one of the largest data breaches of the time with up to 145M users' personal data compromised.

The after-effects of the Equifax data breach will linger for a long time and affect many organizations. Even those that have done a good job of protecting their data are impacted. We are confident that a large number of the compromised users' sensitive information from the Equifax data breach is actively in use in account takeover (ATO) attacks. Cybercriminals can combine data from different breaches - for example, login, name and address from one with the date of birth and password from another - to increase the success rate of credential stuffing. Let's be honest -many users, even today, reuse passwords on different sites. And users also use easy to guess passwords. The Equifax data breach included key data like the last four digits of a social security number and date of birth. These could be used to take full control of user accounts without their knowledge. The Equifax data breach was particularly harmful to online businesses since it involved a large majority of U.S. consumers and their sensitive data, all neatly packaged in one massive breach.

Traditional approaches to application security such as web application firewalls have serious limitations. Equifax could have protected their users by patching sooner, but the compromised user information is out there enabling ATO attacks on every online business. The ever-evolving bad actors will keep finding ways to capitalize on web properties.

For e-commerce, travel and financial verticals, and any business with online user accounts or rewards programs, it is imperative to deploy advanced bot management that can protect against ATO attacks. It is imperative that businesses quickly review their application security protocols and consider additional safeguards before they too are both compromised and fined.