September 2018. British Airways, one of the most well-known and widely used airlines in the world, discovers a situation that spelled disaster both for the company and for all its users: someone had compromised close to 380,000 card transactions of the clients who had made payments to the airline between August 21 and September 5.
The cybercriminals had managed to access not only basic details of users’ credit cards (name and card number), but also the security code (CVV). How were they able to get this code, if not even the airline itself stores it? It seems that someone had modified the website’s script so that, when the payment was carried out, they were able to steal this code, along with the rest of the card details. The result? A theft with global dimensions, and a serious crisis of reputation for the company.
Supply chain: the danger is in your own code
British Airways suffered what is known as a supply chain attack, a type of cyberattack that consists of introducing malicious code into the software development process, generally via third party software. Once executed, the code allows the cybercriminals to access all the information they want to steal.
The airline isn’t the only company to have been affected. Just three months earlier, the ticket sales website Ticketmaster discovered a similar theft that had affected 5% of its clients. The root of the problem lay in one of its external providers, whose code had been modified in order to gain access to clients’ financial data.
But there are also cases that, while they are in theory smaller, in the long run end up being even more serious: this is what happened to Github, the largest open-source project in the world, which suffered a malicious modification within an old piece of code that was being used less frequently. Bearing in mind the fact that many companies rely on Github’s repositories, the problems stemming from this intrusion could be exponential.
The dangers of a supply chain attack
A cyberattack on a company’s supply chain isn’t just a short-term problem; it has medium and long-term consequences too:
1.- Loss of external information. This outcome is obvious: a cybercriminal gets their hands on information belonging to the users of a platform that was supposed to be a secure environment.
2.- Loss of internal information. This isn’t just a problem for clients or users. It is also a problem for the company itself, since its corporate cybersecurity will be seriously damaged, and it could suffer the theft of internal data or confidential information that is vital for its day-to-day activities.
3.- Reputation. If a user has their data stolen from an external platform, it is only logical that they are unlikely to trust this portal again. And this is one of the challenges that British Airways and Ticketmaster are now facing: how to regain their users’ trust.
4.- Sanctions. Since May 25, the organizations responsible for ensuring compliance with the GDPR (General Data Protection Regulation) are keeping a close eye on companies that infringe the new regulation. One of the consequences of personal data being stolen may be that the company ends up breaching the legislation. Every company that does so could face multi-million euro sanctions.
A rising trend
As we highlight in our 2018 PandaLabs Report, there are likely to be more cases of supply chain attacks in 2019, given their effectiveness, their impact (they can spread quickly to millions of systems), and the trust that users place in software they believed to be legitimate.
To combat this, Panda Adaptive Defense not only monitors in real time all processes being carried out on a system, but it also focuses on all of a company’s developments, assuring the integrity and confidentiality of the supply chain and protecting corporate cybersecurity.
Often the greatest danger of cyberattacks can lie in the very center of a company’s IT systems, and so affects not only cybersecurity, but also the information and data of third parties, users, clients, etc. And it looks as though this trend is on the up, so companies must watch out to make sure nothing goes wrong in their supply chain.