2019: The Year the Regulators Cracked Down

Looking back on a record year for regulatory fines.

As our CEO put it recently in a piece for Tech Radar Pro: “2019 will go down in the cyber hall of fame for being the year the regulators showed their teeth.”

Equifax had to pay $575 million for a 2017 data breach affecting 150 million people because of an unpatched Apache Struts vulnerability in one of their databases. British Airways had to pay £183 million to the ICO after getting caught out by a Magecart card skimming attack. And Marriott had to pay almost £100 million because of an undiscovered data breach affecting one of their subsidiaries. 

Those are some serious sums of money. Clearly, the regulators have decided that one of the ways they’re going to compel organisations to take cybersecurity more seriously is by making a few examples – and plenty of headlines in the process.

But it’s worth remembering that regulators don’t dish out penalties for data breaches. They dish them out for non-compliance. Those companies got fined because the data breaches that affected them triggered audits or investigations that discovered insufficient cybersecurity measures. Regulators want to see that enough due care and diligence has been taken to establish a strong security posture and reduce the likelihood of being breached.

Regulators want to see evidence that risk analysis, gap analysis and vulnerability assessments have been carried out; that the proper controls have been deployed; and that those controls are regularly assessed to check that they’re doing what they’re supposed to. They also want an auditable record of all of these things that they can refer back to.  

Ultimately, no company can make themselves so secure that the threat of a breach is nullified. But you can establish a level of visibility and auditability that makes it easier to demonstrate compliance should a breach occur. 

With regulatory penalties being as severe as they are, organisations should take the risk of non-compliance as seriously as the risk of lax security. In this piece, we’ll look at two non-compliance penalties that occurred in 2019 and explore how Continuous Controls Monitoring could have helped. 

Marriott and Starwood data breach – click here for the full report

Starwood is a subsidiary of Marriott that was acquired in 2016. Unfortunately, unbeknownst to both parties, Starwood’s reservation system had been compromised back in 2014. The hackers remained undiscovered on Starwood’s network right up until 2018. This resulted in the data of 300 million customers being distributed online. This data included guest records, unencrypted passport numbers and payment card numbers. 

According to the ICO: “Marriott had “failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems”. 

As cybersecurity lawyers Robert E. Braun and Jim Butler noted at the time: “A company must conduct a security audit prior to combining systems, with a goal of detecting whether security basics are in order, and both companies are aligned as to how customer data is collected, handled and stored.”

Had Marriott been able to establish full visibility of Starwood’s assets and controls during the acquisition process as part of their due diligence, this breach may well have been discovered and dealt with before it was too late. 

British Airways data breach – click here for the full report

Magecart is a collective of hacker groups who target online ecommerce systems to gather payment card information. As of August of this year, over 80 major brands such as Ticketmaster, Forbes and British Airways had been affected by Magecart’s card skimming activity. 

They target companies by injecting scripts into websites that can harvest data entered into payment or contact forms and feeding that information back to their own server. The Magecart attack was active on British Airways’ website for two weeks, during which time over 500,000 customers’ data was compromised. 

“This skimmer is attuned to how British Airways’ payment page is set up,” explained Yonathan Klijnsma, Head Researcher at RiskIQ. “Which tells us that the attackers carefully considered how to target this site in particular.”

During their investigations, researchers at RiskIQ also discovered that the SSL certificate Magecart used on one of their servers was issued on August 15th, almost a week before the breach began. This suggests that the hackers had access to British Airways’ network before the breach occurred. As Klijnsma explains, “without visibility into its internet-facing web assets, British Airways were not able to detect this compromise.”

In both cases, the organisations’ lack of visibility into their own assets and controls was exploited and the fact that they were compromised undiscovered. And in both cases, the ICO determined that more should have been done to protect customers’ data. 

Continuous Controls Monitoring could have helped identify the controls gaps that let these businesses down. At the very least, it would have satisfied the regulators that both businesses were implementing reasonable measures to identify controls gaps and deal with them. While this may not have prevented the breaches from happening – breaches are impossible to rule out altogether – substantiating compliance could have saved them a lot of money. 

We recently caught up with Jim Doggett, former CISO at AIG, to discuss how Continuous Controls Monitoring (CCM) can help enterprise security teams to improve general cyber hygiene and demonstrate regulatory compliance.

If you have any questions about anything in this video, feel free to get in touch via LinkedIn, Twitter or email. If you’d like to learn how Continuous Controls Monitoring can improve compliance and cyber hygiene, book a demo to speak to a member of our team.