British Airways breach shows the need for 'constant compliance'
The recent British Airways card breach compromised several types of information that raise both PCI DSS and GDPR concerns.
I have promoted the concept of continuous assurance (continuous auditing and compliance), which enables organizations to stay on top of and newly discovered risks and threats and take mitigating actions immediately.
In the case of British Airways, the data that may have been compromised include name, email address, credit card numbers and, most surprisingly, CVV codes. Having access to CVV data indicates that the attack took place during live transactions since CVVs cannot be saved anywhere at any time per PCI DSS 3.2.1.
Were the attackers able to hack in through java scripts that were executing on the platform, thus modifying the code directly? If the CVV codes were saved on the British Airways platform, that would be in direct violation of PCI DSS and would have a major impact on the airline.
As we evaluate this breach further, we must consider where the breach actually took place. Was it British Airways direct processing or third-party credit card authorization processes? Most organizations rely on third parties and/or banks for credit card processing, so the investigation may become a bit complex. I would not be surprised if this was a result of a poorly managed third-party breach.
The fact that the breach did take place is an indication of lax in security controls explicitly spelled out in PCI DSS.
As mentioned above regrading CVV code, the first requirement that comes to mind is 3.2.2 "Do not store the card verification code or value (three- or four-digit number printed on the front or back of a payment card used to verify card-not-present transactions) after authorization."
As we consider encryption specs stated in requirement 3.5.X, it makes us wonder at what point was the attached able to retrieve unencrypted personal and credit card data.
If data was breached during processing, which would indicate data transmission, PCI DSS requirement 4.1 comes into question: "Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks."
I would question British Airways' compliance with PCI DSS section 6, which mandates that companies "develop and maintain secure systems and applications." Where did they miss the mark in continuously hardening cardholder data environments?
Also of interest is the PCI DSS requirement that companies conduct "regular tests of security systems and processes.” Was British Airways conducting frequent vulnerability assessments and penetration testing of their cardholder data environments?
Quarterly vulnerability scans and pen tests are a "thing of the past.” Attackers are developing advanced hacking tools that work around the clock. This can only be mitigated by counter measures that execute in near-real time. There are solutions out there that provide the near- real-time visibility to cyber threats that enables instant mitigation and control implementations to prevent such attacks,
Additionally, what kind of data mapping or inventory has the airline conducted on all cardholder data? These inventory records become crucial when investigating a breach since, if they are properly managed, would provide data location, data classification, state of the data and data exchanges.
This breach will make PCI DSS noise and is guaranteed to trigger GDPR privacy concerns and much more. In today’s world, organizations that lack security controls and have experienced a breach should expect many auditors, regulators and standards bodies to knock on their doors demanding information.