The Information Commissioner’s Office (ICO) has issued a
notice of its intention to fine British Airways £183.39 million
for infringements to GDPR.
The proposed fine relates to a cyber incident notified to the
ICO by British Airways in September 2018 which, in part,
involved user traffic to the British Airways website being
diverted to a fraudulent site.
British Airways said it was ‘surprised and disappointed’ and
would be taking all appropriate steps to defend the airline’s
position, including making any necessary appeals.
The ICO also issued a notice of its intention to fine Marriott
International a total of £99,200,396 for infringements of
the General Data Protection Regulation (GDPR), relating
to an incident which was notified to the ICO by Marriott in
The ICO will consider representations made by the company
and the other concerned data protection authorities
before it takes its final decision.
RiskIQ, a global leader in attack surface
management, published research
uncovering a new campaign by the credit
card skimming crime syndicate Magecart.
RiskIQ has monitored the compromise of S3
buckets since the campaign began in April 2019
and the company has been working with Amazon
and affected parties to address the injections
and misconfigured S3 instances as they observe
them. According to the report, the actors behind the attack have
automated the process of simultaneously compromising over 17,000
domains with skimmers by actively scanning for misconfigured Amazon
S3 buckets. Because these buckets are misconfigured, they are unsecure
and anyone with an Amazon Web Services account can read or write
content to them. This attack introduces yet another method by Magecart that RiskIQ
researchers call a ‘spray and pray’ approach. Visit riskiq.com/blog/labs/magecart-
amazon-s3-buckets for guidance on how to best protect Amazon S3 buckets.