In this article, we will examine some fairly recent PCI DSS data breaches to highlight common problems that caused them as well as how to avoid them.
British Airways confirmed a data breach on 7 September 2018 affecting sensitive, personal and financial information of more than 380000 of their customers. The breach occurred between 21 August and 5 September 2018 according to a statement made by British Airways.
What went wrong: Researchers from RiskIQ claimed to have found evidence of scripts that were modified on British Airways's payment forms. These modified scripts sent payment data to an attacker-controlled server while maintaining the intended ability to remain undetected. RiskIQ has blamed the attack to Magecart, a criminal hacking group.
The electronics retailer confirmed that 105000 customers’ sensitive card details had been leaked in July 2018 in a data breach because they did not implement chip and PIN security measures. The same hackers responsible for this also tried to breach an additional 5.8 million more users' card details but luckily these we adequately protected.
A few after this announcement, Dixons released another statement to update a previous breach in 2017. The breach was claimed to have leaked information for 1.2 millions of their users. However, their statement confirmed that this breach was larger than initially thought and could have affected up to 10 million users' sensitive and payment information.
What went wrong: Many experts in the industry has come to the conclusion that Dixsons's defence measures were far from sufficient to protect against such a breach. The breach occurred after the GDPR (General Data Protection Regulations) came into effect. Thus the company had more than enough time to protect their users' data, by putting the correct measures in place, against these massive data breaches.
On 23 June 2018, Ticketmaster UK released a statement disclosing that it discovered malicious software present in one of their customer support platforms that were hosted by an external third-party vendor.
The ticket selling company stated that a criminal hacker group gained unauthorized access to their users' sensitive, personal information. This information includes names, physical addresses, email addresses, Ticketmaster website login details, and credit card details. It is estimated that about 40000 users' information was affected by this breach.
In April 2018, Rail Europe confirmed that its online payment system has been breached somewhere between 29 November 2017 and 16 February 2018. They stated that the criminal hackers behind the attack may have compromised card details during the attack. The data included card numbers, expiration dates, as well as verification codes (CVC/CVV/CV2 numbers). The possibility existed that customers' names, gender, addresses, and contact details were also at risk due to the breach.
What went wrong: Rail Europe said that the criminal hacker group loaded malicious credit card skimming software onto their website without their knowledge. It took Rail Europe three months to discover all the malicious code in their systems but quickly contained it. After the malicious code was discovered by Rail Europe, they rebuilt their systems from known "safe code", removing any and all untrusted components in the process.
Users of the Chinese smartphone manufacturer began noticing and reporting a number of fraudulent transactions on their bank accounts in January 2018. OnePlus launched an investigation into these reports and discovered that around 40000 users' sensitive card details have been compromised.
What went wrong: During OnePlus's investigation into the matter, they found malicious code hosted on a payment page. According to their findings, the code has been hosted there for around 2 months. OnePlus stated that the script executed intermittently. When it got executed it captured and sent data directly from a user's browser.
Stay secure with the PCI DSS
The data breaches above show that any company's systems can be exploited in a different number of ways. Faulty code, poor communication and information relay to and from third parties and a failure to test computer networks and systems are all familiar issues. These can all be mitigated by complying with the PCI DSS regulations.