The ICO’s latest notice of a Monetary Penalty Notice, on Ticketmaster, contains unusually detailed guidance on the good practice they expect transactional websites to adopt. Although the particular breach concerned credit card data, this seems likely to apply to any site that takes customer data or that uses third party components. The whole notice is worth reading but, since it’s 73 pages long, here are the key points I spotted.
Simplify payment pages, or any others where you collect customer data. The breach occurred due to the insertion of malicious code via a chatbot. The ICO considers (6.13 – 6.17) that the risk of including third party JavaScript code was well known at the time of the breach in February 2018 and (6.18 – 6.20) that pages that accepted credit card details were particularly likely to be targeted. Removing the code from that page would have reduced the attack surface.
Use a layered approach to security, so you are not reliant on any single factor. In particular:
Don’t rely solely on third party certifications (6.22). Ensure contracts for third party code are clear where such products should and should not be used, and make sure security checks occur at a frequency appropriate to the speed of development of the threat (6.22.2).
When using third party written or hosted code, consider the technical measures you might deploy yourself, both in design and operation, in case any security issues arise in that code (6.24). These might include isolating the code from the rest of the page and applying security protections to the communications between the code and the rest of the site. And…
Relevant to both third-party and in-house code. Do your own checks, such as monitoring for unexpected changes (6.12), performing test transactions (6.22.5) and examining network traffic (7.13).
When these checks, or external reports (see 3.3 – 3.26), identify a problem, involve an incident response team promptly, and give them full information. It appears (7.12) that Ticketmaster’s response was delayed by focussing on a particular event and PC operating system when the problem was actually on the website and could have affected all bookings made through it.
