Magecart Primer: 5 Things Every CFO Should Know

by Ophir Ashkenazi

The credit card skimming scourge known as Magecart is sweeping the web. Finance leaders should pay attention to the risks and potential costs.

©Михаил Руденко/iStock/Getty Images Plus

As a senior finance leader, your job is to safeguard company funds, manage expenditures and manage risks. In this role, you should know about Magecart; it is among the most serious cybersecurity risks facing websites and mobile applications that take credit card or bank data. Wired Magazine listed Magecart, an umbrella term for multiple attack groups, as one of the biggest online threats in the publication’s annual 2018  “Most Dangerous People on the Internet”  article.


There have been over 2 million Magecart attacks, hitting more than 18,000 different websites and mobile apps since 2010. Magecart has caused significant financial damage to dozens of large companies including Macy’s, British Airways and Delta Airlines. In the case of British Airways, the company paid a $229 million fine for General Data Protection Rule (GDPR) violations resulting from a Magecart attack. While it’s difficult to tally the total costs, we can credibly estimate that Magecart attacks cost businesses over $1 billion in 2019, including customer mitigation, extra staff time, reputation loss, accelerated audit costs and fines. Here’s a rundown of what you need to know as a finance leader.

What Is Magecart? 

At its core, Magecart is a type of data skimming that targets e-commerce systems and seeks to compromise the code of shopping cart software. Magecart started out focusing on Magento, the shopping engine owned by Adobe. It has since expanded to include all other major shopping cart systems including Shopify and OpenCart. Magecart also infects shopping cart plug-ins for WordPress, the world’s most widely used web publishing system. To be clear, Magecart is not just an exploit type. It is also a loose affiliation of cybercriminal gangs that pursue this type of data skimming.


Here’s how it works. A Magecart attacker will insert malicious JavaScript into the code base of a website or mobile application. This malicious code secretly captures sensitive information from online payment forms, including email addresses, passwords and credit card details. The Magecart code then exports captured data to a server in a different location. It is very difficult for shoppers to know what is happening; they only experience what appears to be a normal transaction. It’s also difficult for owners of the website or mobile app to know what’s happening. Magecart makes code changes that are subtle and often obfuscated behind several evasion steps. 

What You Need to Know About Magecart

Now that you have the basics, here are some of the significant problems this attack can cause your organization and what you can do to reduce this risk. 

1. Check your cyber insurance coverage

Magecart is a relatively new type of cyberthreat and cyber insurance tends to be vague. As the Economist writes about cyber insurance, “The policies on offer so far tend to vagueness... and vary widely regarding which risks are covered.”  It’s worth a call to your insurance experts to make sure you understand the limits and rules for coverage against Magecart attacks. If you don’t have cyber insurance, it’s worth exploring based on Magecart alone.

2. Fines are a significant financial risk if you do business in Europe

GDPR fines can be up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher. So when the British data protection authority, the Information Commissioner’s Office (ICO), nailed British Airways with a nine-figure fine in 2019, this set a high risk threshold for government penalties for GDPR violations. Cybersecurity experts were surprised at the fine because databases and internal systems of British Airways were never breached. But this underscores that big fines may land on companies that the government believes failed to protect user data against this kind of attack.

3. Fines will likely be just as big a risk if you do business in California

The California Consumer Privacy Act (CCPA) took effect on January 1, 2020. This law applies to any company doing business in California. In other words, pretty much every major retailer, online travel agency and finance company. CCPA is similar to Europe’s GDPR but has some additional legal teeth. Victims can sue companies for not making a good enough effort to lock down their infrastructure and applications to protect privacy. California has a long history of seeking high penalties in consumer protection realms. It’s important to remember that if you have customers in California, you are subject to the CCPA, even if you don’t have physical presence. 

4. You need to accelerate compliance and audit processes

With Magecart attacks growing quickly both in number and in scope, you need to up the frequency of your compliance checks and spot audits. As the CFO, compliance and auditing falls under your responsibilities. Because attempts to compromise your company’s website code will increase in frequency, so too must efforts to spot anomalies. Code audits that have typically run once a year need to be automated and conducted more frequently. As well, you should add technology solutions for spotting anomalous behavior of website code to your security portfolio. 

5. Ask your IT and security teams for an inventory of all Magecart risks

A key part of compliance is understanding the risk. Few teams know all their risks from third-party code and Magecart exposure. According to an Osterman Research survey of 300 information security leaders, only 11% of website decision makers believe they have complete insight into the third-party scripts on their website and only 31% believe they have addressed all of the vulnerabilities in their third-party scripts.

Preventing Magecart Means Saving Money

The average cost of a data breach in 2019, according to a major survey by IBM and the Ponemon Institute, was $4.45 million. Very large breaches, with hundreds of thousands or millions of records, cost even more still. Every company is sensitive to immediate cash flow impacts - publicly traded companies, companies in receivership, companies owned by private equity investors - so investing to prevent Magecart is likely a sound use of money.

Being a CFO or finance leader always means being prepared for the unexpected. Magecart is the ultimate in uncertainty. Unfortunately, the chances that a Magecart attacker will at least attempt to compromise your website or mobile app are on the rise. So add that one to the list of top-of-mind concerns to tackle to keep your business running safe and sound. 

Ophir Ashkenazi is Co Founder and CFO at PerimeterX.