Magecart Monthly: Record £183m fine for British Airways.

Read the latest news on Magecart attacks! We’ve trawled the web for the latest news of data breaches, including updates on previous attacks. Now featuring insider insights from our own Security Researcher!

Latest attacks:

Quest Diagnostics and LabCorp
Princess Polly
Twitter Disclosures
British Airways Update

Quest Diagnostics and LabCorp

New! Major Attack on US Medical Debt Collection company American Medical Collection Agency (AMCA). Their payment portal was compromised for 8 months from August 1st, 2018 to March 30th, 2019. ZDNet report that over 20 million US citizens have been impacted by the security incident. Companies affected by the attack include; Quest Diagnostics, LabCorp, BioReference Laboratories, Carecentrix, and Sunrise Laboratories. As part of the attack, names, social security numbers, addresses, dates of birth, and payment card information were stolen and sold on underground web-forums.

AMCA announced in a statement; “We hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase our systems’ security.”

Multiple lawsuits are filed against Quest Diagnostics, AMCA, and LabCorp for delaying notifications and failing to protect patient data. US regulators are also investigating at this time.

AMCA’s four largest clients immediately stopped doing business with the company and due to this loss of business, AMCA have now filed for Chapter 11 protection. The company has listed assets and liabilities of $10 million in the bankruptcy petition as they aim to liquidate the company. AMCA CEO Russell H. Fuchs declared in court that the data breach created a “cascade of events” which led to an “enormous expense that were beyond the ability of the debtor to bear,”. Expenses included more than $3.8m spent on mailing 7 million individuals with Fuchs personally lending the company $2.5m to help pay for the mailing. An additional cost of $400,000 had been spent on IT professionals and consultants.

This is Quest Diagnostics second breach in under 3 years, with a previous data breach of 34,000 patients data in 2016. This second breach calls for increased security for Quest Diagnostics to ensure customer’s data is secure.

Princess Polly

Australian online fashion retailer Princess Polly suffered a Magecart attack from the 1st November, 2018 to 29th April, 2019. Personal data disclosed included; usernames, passwords, billing and shipping names, addresses, phone numbers, date of births and payment details.

On the 31st May, in a Security Incident announcement on their website the company stated; “We have recently discovered an unidentified third party gained unauthorised access to our website. During this process, the third party may have accessed customers’ personal information and payment details entered on our website.” Going on to explain; “When you enter payment information on our site, it is redirected to a payment gateway which means that Princess Polly does not process the payment information and it is not stored by Princess Polly, however, during this incident, the third party may have been able to access credit card details while being entered at check-out”. Co-CEO of Princess Polly Wez Bryett states; “As soon as we became aware of this incident, we took immediate steps to investigate and confirm that our website was secure.” and included an apology to customers.

This incident affected customers on the Australian and New Zealand sites and did not impact customers on the US site. The company is undertaking a full investigation and has also upgraded their payment gateway provider to Braintree.

Twitter Disclosures

RapidSpike Security Researcher speaks about online disclosures, stating; “There have been over 110,000 Magecart attacks recorded, however, only a small number of attacks make news headlines, sifting through Twitter you’ll be able to see frustrated individuals and independent researchers reporting vulnerabilities to companies with no response being acknowledged or actions taken. As GDPR only relates to European companies, many of these companies do not have to report their data breach and are not held responsible for their actions. Following the discovery that 87% of SME sites running Magento are at high risk of cybercrime, more data breaches have been coming to light, especially on Twitter.”

Just one recent example is Noco, a battery products manufacturer. On 17th June @MarcelMalware reported the company’s website had been attacked, announcing on Twitter:

“Hi @noco your Magento eCommerce website has been compromised. Please alert your dev team.”

With the below screenshot:

Screenshot of malicious JavaScript code on Noco's website. — Malicious JavaScript code on Noco’s website.

@Malwrhunterteam responded explaining that the site had not yet been cleaned and that there were in fact 54 malicious JavaScript files. There have been no further developments or updates on this data breach as Noco continue to publish social posts and take online orders without addressing the incident.

British Airways Update

Announced today; The Information Commissioner’s Office (ICO) intends to fine British Airways £183.4m for their data breach last year. British Airways disclosed they had suffered an attack between April and June 2018 which affected around 500,000 customers. After an “extensive investigation” the ICO have concluded customer’s data was compromised by “poor security arrangements”. British Airways have responded to the proposed fine saying they’re “surprised and disappointed”.

RapidSpike security researchers have taken the time to investigate all attacks mentioned. We can confidently say our Data Breach Monitor would have detected every attack. Learn more about our Data Breach Monitor.