British Airways data breach

In 2018, there was a data breach that affected 380,000 to 500,000 customers of British Airways.^[1][2]

Attack

The Information Commissioner's Office said that the attack had begun in June 2018.^[2]

The ICO claimed the incident took place after the British Airways website was diverted to a false site. According to computer security researcher Alan Woodward the attack was most likely carried out through a supply chain attack on a third party payment utility used by the website.^[3] This script sent the submitted payment information to the attackers directly. The breach of CVV codes in the attacks support this theory, as by PCI DSS standards CVV codes are not stored,^[4] and are only processed during the time payments are made which makes access to a database unlikely.

British Airways said the attack affected bookings from 21 August 2018 to 5 September 2018 with credit card details of around 380,000 total customers being compromised.^[1] The attackers obtained names, street addresses, email addresses, credit card numbers, expiration dates and card security codes – enough to allow thieves to steal from accounts.^[1] 77,000 customers had their name, address, email address and detailed payment information taken, while 108,000 people had personal details compromised which did not include CVV numbers.^[5]

One customer of the airline reported that his card had been used to buy items by phone at Harrods while he was in Malaysia.^[2] The attempt was rejected – the customer did not think his card was exposed except by this attack.^[2]

Aftermath

British Airways urged customers to contact their banks or credit card issuer and to follow their advice.^[1] NatWest said that it received more calls than usual because of the breach.^[1] American Express said that customers would not need to take any action and that they would alert customers with unusual activity on their cards.^[1]

Consequences for British Airways

British Airways initially faced a £183 million fine from the Information Commissioner's Office, which would have been the biggest fine issued by the office up to that date.^[2] It was roughly 367 times the previous record, which was a £500,000 fine imposed on Facebook over the Cambridge Analytica scandal.^[2] CEO and chairman Álex Cruz said the airline was "surprised and disappointed" in the ICO's finding.^[2]

In October 2020 British Airways was fined £20 million by the Information Commissioner's Office, considerably smaller than the £183 million fine that the ICO originally intended.^[6]

See also

• EasyJet data breach

References

1. Sandle, Paul (6 September 2018). "BA apologizes after 380,000 customers hit in cyber attack". Reuters.
2. Cellan-Jones, Rory (8 July 2019). "British Airways faces record £183m fine for data breach". BBC News. Retrieved 20 May 2020.
3. "British Airways breach: How did hackers get in?". BBC News. 2018-09-07. Retrieved 2022-10-21.
4. "PCI DSS Quick Reference Guide: Understanding the Payment Card Industry Data Security Standard version 3.2.1" (PDF). PCI Security Standards Council. July 2018.
5. "BA investigation into website hack reveals more victims". BBC News. 2018-10-25. Retrieved 2022-11-04.
6. Tidy, Joe (16 October 2020). "British Airways fined £20m over data breach". BBC News. Retrieved 16 October 2020.