Formjacking: the new cyber threat

The BA and Ticketmaster hacks show how thieves are targeting businesses’ websites to steal their customers’ card details.

A new wave of cyber-attacks involving the harvesting of card details from e-commerce websites – so called formjacking – has hit businesses worldwide. Ticketmaster was reported to have had 40,000 customer records compromised in June, while British Airways was attacked in September, when nearly 400,000 customers may have had their card details stolen. Hacking collective Magecart is believed to be behind a huge spike in the number of formjacking attacks which, according to Symantec, have numbered around 250,000 since mid-August.

Formjacking is where hackers inject malicious Javascript into a business’s payment processing webpages to capture customers’ card details.

Formjacking is where hackers inject malicious Javascript into a business’s payment processing webpages to capture customers’ card details. Most of these attacks have been carried out against third party code suppliers that provide services such as website support, analytics and content delivery to e-commerce websites. “As third party service providers are the initial target of these types of attack, they pose a significant risk for organisations with extensive supply chains,” says Matt Webb, Hiscox London Market’s Chief Underwriting Officer – Cyber. 

Counting the cost

There is currently no estimate for the total financial losses that affected companies may face. Other than the cost of reissuing cards to affected customers, there is also the risk that businesses may be unable to process transactions online if their payment pages are unavailable while the malicious JavaScript is removed. One of the major companies affected is reportedly facing a group action lawsuit for £500 million from disgruntled customers for compensation for distress and inconvenience. Bearing in mind the nature of such attacks, the sensitivity of the compromised data and the number of people affected, there is a high likelihood of GDPR penalties including fines. Some media reports put the potential cost to BA from any related GDPR fine in the region of £897m.

Businesses should look to review the number of third-party Javascript providers they work with and remove any that are unessential –especially from their payment pages.

Minimising the risk

Formjacking attacks can be difficult to detect and prevent. “Businesses should look to review the number of third-party Javascript providers they work with and remove any that are unessential –especially from their payment pages,” says Webb. “Similarly, they should conduct regular audits of their providers’ cybersecurity measures to reduce the likelihood of an incident.” There are a few technology solutions available, but if they are not implemented carefully they can cause problems loading a site.

Businesses should also ensure their cyber insurance policies will respond to formjacking attacks.  “Businesses must make sure their policies aren’t only triggered by specific cyber events,” says Webb. “The cyber threat is constantly evolving: formjacking is just its latest manifestation, following on the heels of cryptojacking and previous examples. So, a good cyber policy should respond to new hacker threats as they arise.”