On the 16th October 2020, the ICO published its first considerable fine as a result as a result of the GDPR. It was game changing given that it was forty times the previous largest fine at £20m. It took a deep dive into the functioning of an IT and a Development department and produced a 114 page document that was hugely embarrassing document and potentially career ending.
The ICOs report on BA is 114 pages long. It lists considerable failings on BA’s part. The below represents a portion of the high-level events and things to learn. It is also worth noting there is a considerable amount of redacting of the ICO report on BA to reduce the likelihood of a copycat attack. Whilst responsible, it makes the report less transparent, more difficult to follow in most places and impossible in others.
An attacker obtained five sets of credentials to the company Citrix portal. The supplier, Swissport, operated at an airport in Trinidad and Tobago. No mention was made about how the credentials were obtained although likely in of the four following ways:
- Purchasing them.
- A camera recording logins
- Social Engineering
- Use of a keylogger
User training would have prevented social engineering and endpoint protection (unlikely to be an appropriate solution in this case given that it was third party hardware) could have been configured in such a way as to prevent keyloggers. None of these methods would have been successful if multifactor authentication had been in place.
On gaining access to the portal, the attacker discovered that it had not been hardened as per Cirtrix own published standards. The attacker was therefore able to breakout by running a program that was either not intended for users or uploaded. The details of this are not published, however it is implied that this program was possibly IT admin related. It is also implied that the users had more access than they required.
On breaking out of the portal, a plain text file was found on the network containing sysadmin passwords. There is a suggestion that this was a code for applications.
- Use of application blocklists and allow lists would have been appropriate in Citrix. Alerting should have been configured to report attempted access to unauthorised applications.
- A process for system implementation and risk assessment should have been in place to ensure all systems were configured to agreed standards.
- Additionally, the least privilege principal should have been used on the Microsoft user accounts.
- Penetration testing should have been undertaken.
- A password management or Privilege Access Management (PAM) tool should have been in place.
The Sysadmin credentials from the plain text file were used. They were out-dated and were unsuccessful.
A system monitoring alert could have been set up regarding the failure of SA logons. It is implied that a suitable system was in place, however it was not configured appropriately. The attack could have been stopped here.
Nothing notable happened on this day. It may be relevant that it was a Sunday.
The attacker successfully logged into 3 servers using local accounts. No details on how are published thereby implying a security exploit and possible patch management issue. By adding the guest account to the local administrator group we able to use that to gain local admin capability.
Patch management and system monitoring for Event 4732 (inclusion of an account into the local admin group) would have interrupted this attack vector.
The attacker located DBA credentials
The attacker located log files containing payment card details in plain text. BA stated that this was in there for testing purposes and was not removed when promoted to live. This led to a breach of 108,000 records.
Intelligent network security applications or hardware would have blocked and identified the movement of these records.
Manual reviews of such high-volume transaction code should have been undertaken. There was no alert to report on code changes.
14/8/18 – 5/9/18
The above actions led to all payments (including card and CVV data) on BA’s website being copied and redirected to ‘BAways.com’, a domain controlled by the attacker. The attacker then extracted as many funds as possible leaving some people stranded abroad with no money.
A 3rd party identified payment data being copied to an external domain and notified BA.
The security of the infrastructure was either not considered or thought of as a sufficient threat to address even though it suggests third parties had BA domain accounts. There may be several reasons for this. Certainly this suggests a lack of knowledge of staff in terms of security configuration of Citrix. It also implies that IT management did not make that a priority of the admin staff. It further strongly implies that Senior Management were carrying risks that they were unaware of or disinterested in.
As BA had the resources to address these issues, the fundamental failure here was likely to be one of communication. No IT team would intentionally introduce the security issues mentioned above. Senior Management should have provided appropriate resources and guidance as well as insisted on appropriate risk management reporting.
Where Protecture can help?
Protecture does not view Data Protection (DP), Information Security (IS), IT and Leadership led risk management as being separate entities. It is not possible for each of those individual specialities to be successfully implemented without the other three. We understand the overlap, that each need to communicate and each speak different languages. We can help you break down internal barriers, unlock budget an implement the solutions you require.
Whilst our individual services focus on IS, DP, IT and Risk, they all delivered by people that understand the interaction of them. Through partnerships with best in class manufactures, software creators and specialists, we are able to address all of the issues listed above in a way that suits your business requirements.
We can help you Manage Data Fearlessly.