Intelligent CISO Issue 16 - Page 25

threat updates EUROPE The Information Commissioner’s Office (ICO) has issued a notice of its intention to fine British Airways £183.39 million for infringements to GDPR. The proposed fine relates to a cyber incident notified to the ICO by British Airways in September 2018 which, in part, involved user traffic to the British Airways website being diverted to a fraudulent site. British Airways said it was ‘surprised and disappointed’ and would be taking all appropriate steps to defend the airline’s position, including making any necessary appeals. The ICO also issued a notice of its intention to fine Marriott International a total of £99,200,396 for infringements of the General Data Protection Regulation (GDPR), relating to an incident which was notified to the ICO by Marriott in November 2018. The ICO will consider representations made by the company and the other concerned data protection authorities before it takes its final decision. GLOBAL RiskIQ, a global leader in attack surface management, published research uncovering a new campaign by the credit card skimming crime syndicate Magecart. RiskIQ has monitored the compromise of S3 buckets since the campaign began in April 2019 and the company has been working with Amazon and affected parties to address the injections and misconfigured S3 instances as they observe them. According to the report, the actors behind the attack have automated the process of simultaneously compromising over 17,000 domains with skimmers by actively scanning for misconfigured Amazon S3 buckets. Because these buckets are misconfigured, they are unsecure and anyone with an Amazon Web Services account can read or write content to them. This attack introduces yet another method by Magecart that RiskIQ researchers call a ‘spray and pray’ approach. Visit riskiq.com/blog/labs/magecart- amazon-s3-buckets for guidance on how to best protect Amazon S3 buckets. www.intelligentciso.com | Issue 16 25