The Cost of Magecart: More Than Just a Single Fine
In the dynamic realm of cybersecurity threats, Magecart remains a persistent danger to e-commerce enterprises and their customers. Magecart web-skimming attacks are a popular type of cyberattacks involving injecting malicious code into the checkout pages. These malicious incursions not only carry the risk of data breaches that could lead to substantial GDPR/CCPA penalties but also entail a cascade of other grave repercussions. These include class-action lawsuits, harm to the brand’s reputation, and the erosion of customer trust, all of which can inflict severe financial turmoil upon your organization.
How Easy is it to Write Magecart Code in 2023?
The short answer to that question is easier than it was in 2022. At the start of the year, with AI suddenly gaining more traction in the public consciousness, nervous-sounding reports emerged about hackers using Chat GPT to help them write skimming code. But then it appeared that the AI chatbot’s developers must have listened and responded because before long, it looked as if they had put safeguards in place. Any requests to write malicious code were now met with a polite refusal.
Then, in April, Kyodo News reported that restrictions on unethical use could be circumvented simply by telling Chat GPT to work in developer mode. Using this approach, researchers successfully prompted it to create ransomware code, which it managed in just a few minutes.
Fast forward to now, and we’re at the stage where attackers don’t even need to wait for workarounds anymore. They can subscribe to a dedicated malware coding chatbot called WormGPT (that can also help them put together more believable-looking phishing emails). For just 100 euros a month, the power of AI makes it possible even for beginners to write Magecart code.
Recent Magecart Attacks
Here are just a few of the many recent Magecart breaches that have been reported:
iOttie (June 2023): The Magecart attack on this popular car mount and mobile device manufacturer ran from April 2023 and stole customers’ PINs, payment card numbers, and more.
The Liquor Control Board of Ontario (LCBO) (January 2023): Attackers stole customers’ credit card information at checkout by injecting an inline script camouflaged as a legitimate Google Analytics Tag into the site.
See Tickets, the global ticketing giant revealed that it was compromised in April 2021, but incredibly, that was two-and-a-half years after the attack started. Reports suggest that 90,000 customers were affected in the State of Texas alone.
MenuDrive, Harbortouch and InTouchPOS (Nov 2021): these three food ordering sites were hit by two Magecart attacks that compromised the payment data of 50,000 customers using 311 restaurants.
Hanna Andersson, (January 2020) the children’s clothing retailer, was attacked between September and November 2019. A Magecart attack on its e-commerce platform stole payment card data affecting 200,000 US-based customers.
The Cost of Magecart
IBM put the average cost of a data breach in 2023 at $4.45 million, which is a 15% increase over the 2020 figure. Since that’s an average of all types of attack (not just Magecart, and involving businesses of all sizes), we can assume that some are going to be higher and some lower, but it’s fair to say that the cost to any business is going to be substantial, and can reach hundreds of millions. In fact, it’s true to say that even a data breach that doesn’t involve any direct financial loss for the company or its customers could still cost the organization a substantial amount in other ways.
Fines and Penalties
GDPR
Since 2018, any company that holds data on European citizens has been subject to the GDPR. A data breach can result in a company being fined up to €20 million ($21.8 million) or 4% of its global revenue for the previous year. Penalties may escalate if a breach is not promptly reported upon its occurrence.
In 2020, British Airways was originally fined $183 million for failing to prevent a suspected Magecart attack that exposed the data of over 400,000 customers. After a costly legal battle, the airline’s fine was reduced to $26 million, a substantial amount for a single penalty.
CCPA
Another example is the California Consumer Privacy Act (CCPA) penalties in California. With a maximum of $7,500 for intentional violations or $2,500 for non-intentional ones, it might seem small individually but can quickly amass into significant sums. This is because each consumer’s data mishandling is treated as a separate violation, leading to the potential for substantial fines. For instance, a data breach that affects 10,000 consumers may lead to a $75 million fine.
PCI DSS
Then, there are PCI DSS fines levied by the payment card industry for noncompliance with its standard. These will typically fall in these ranges for each violation of non-compliance:
· For the first one to three months: $5,000–$10,000 per month
· Between four and six months: $25,000–$50,000 per month
· For seven months and over: $50,000–$100,000 per month
Compensation
While Magecart attacks might result in hefty GDPR/CCPA fines, they are not the only consequences. Class-action lawsuits, brand damage and the loss of clients’ trust can create devastating financial implications for your business.
Class-Action Lawsuits
We don’t know the exact amount British Airways paid out for this breach (such details are often confidential), but we do know that it settled a class-action lawsuit involving 16,000 claimants, the largest such case in UK legal history. One estimate placed the compensation per individual at $2,770, so BA may have paid out around $4.4 million.
As we mentioned in the list above, in 2020, the children’s clothing brand Hanna Andersson suffered a Magecart code injection that went undetected for two months while it stole customers’ payment information. The stolen credit cards eventually showed up for sale on the dark web, and 10,000 of them belonged to California residents whose data is protected under the CCPA. The company paid them $400,000 to settle a lawsuit.
Security
When a data breach is identified, it must be assessed and dealt with by cybersecurity professionals. Extra staff need to be brought in to find out what happened and ensure that it doesn’t happen again. It’s difficult to estimate costs given that there are so many variables, including the severity and scope of the breach, the size of the organization and its IT infrastructure, the type of data compromised, the expertise required, time sensitivity and more. It’s fair to say though, that companies will typically spend anywhere from tens of thousands of dollars up to several million in the aftermath of a Magecart attack.
Reputation
Reputational damage can be hard to quantify because the effects may take some time to emerge. Such attacks can affect customer confidence and employee morale, and they may make it harder to attract new customers and new employees. It may become harder to upsell services to existing customers and retain good staff.
A classic example is the 2017 Equifax data breach – the company’s three chief executives left and the stock tumbled by nearly 40%.
PR
A Magecart attack is as harmful to the reputation of an e-commerce business as a dirty kitchen is for a restaurant. In both cases, it’s a breach of trust that creates a lingering bad impression, so once again, the affected company needs to spend more money hiring experts to undo the damage. The UK’s Cyber Resilience Centre estimates that hiring a PR company to clean up the communications mess can cost between £800 and £1500 a day, or $1,000-$1,900. This will obviously vary by country and according to the size of the job.
Disruption to Business
A well-organized business of any size will run on a schedule. A Magecart data breach throws normal routines into disarray as employees at every level adjust to the torrent of demands from customers seeking reassurance and information. Employee roles may change during this time, which will inevitably harm productivity, delay new initiatives and cost money.
It also goes without saying that if the Magecart attack infiltrates a third-party tool, then whatever function it performed will not be available until a replacement is found. That could mean the loss of the website, lost revenue and more lost productivity from staff as they scramble to find and deploy a suitable replacement.
Magecart Attacks Preemptive Measures
This may all sound like a prophecy of doom, but it’s worth remembering that the same IBM report that we referenced earlier (that put the average cost of a data breach at $4.5 million) also pointed out that organizations investing in extensive AI-assisted security measures save an average of $1.76 million compared to organizations that don’t. In other words, it’s possible to significantly reduce or possibly even eliminate the cost of a malware attack by investing in an automated continuous monitoring system that gives you visibility over your entire attack surface and provides you with intelligent tools to keep it secure.
It’s always better to put protection in place before the worst happens, and not just because PCI DSS requirements will soon require website owners to specifically include protection against client-side attacks like Magecart. The holiday season is already on the horizon, and it always brings an upswing in skimming attacks, so now is the ideal time to address any gaps in your security posture.
