Bring on the fines
The EU's data protection regulation bared its teeth this week as the UK regulator revealed its intention to impose multi-million dollar fines on British Airways and the Marriott hotel group. Both companies say they're "disappointed", and will challenge the decisions. The proposed fines are significant; £183 million for BA and £99 million for Marriott. Both companies cooperated with the Information Commissioner's Office (ICO) which is likely to have reduced the fines. The ICO hasn't given a detailed explanation for the decisions, but in BA's case it criticized "poor security arrangements" which resulted in the theft of some 500,000 customers' credit card details. The data was stolen by a hacking group called Magecart, which exploited BA's failure to secure third-party Javascript used to process payments. A relatively simple solution called Sub-Resource Integrity would have stopped the attack by checking the validity of the script being loaded. Anyone running an e-commerce site should be aware that Magecart is still highly active. This week, RiskIQ reports that it has been breaching websites by scanning for poorly configured AWS S3 storage.