For those planning training sessions or candidates intending to take an online exam during this period, we will be offering online exam sessions on December 27 and 29, as well as January 5, 2024. You can check the link to online exam events here.
  2. / Resources
  3. / Articles

British Airways fined £183 Million on passenger data breach

Governance, Risk, and Compliance 2019-07-09

The powerful watchdog called GDPR is on a serious hunt

On Monday, July 8, Britain’s Information Commissioner's Office (ICO) hit the “The World’s Favorite Airline”, British Airways with a fine of £183 million for failing to shield the personal information of more than 500,000 of its customers. This occurred during 2018’s security breach, when hackers stole personal data of more than half a million of the airline's customers.

The famous airline last year disclosed a breach that exposed personal data of its customers, including credit-card numbers of up to 380,000 customers, and which lasted for approximately two weeks.

During that time, BA officially confirmed that customers who booked flights on its official website (www.ba.com), as well as on their mobile app, between August 21 and September 5, had their details compromised by hackers.

The hack was attributed later to the threat actor called Magecart, who is one of the most infamous hacking groups and are specialized in targeting and stealing credit card details from websites that have poor security, especially those with e-commerce platforms. This group is known for using credit card skimmers in quite a ‘creative way’. That is, by inserting lines of malicious codes into the payment page (checkout) of a compromised website, which then captures payment details of the customer they then extract it to a remote server.  

The hacking group is also believed to be responsible for credit card attacks on high-profile companies such as TicketMaster, Newegg and many other small e-commerce websites that have had security flaws in their online system.

In their official statement, the ICO stated that their comprehensive investigation found out that the hack involved customer details including payment card, name, and log in address as well as booking information. They also added that the data breach, which began in June 2018, occurred because of “poor security arrangements” mainly on the BA website, leaving the door open for hackers to compromise their customers’ details.

“People’s personal data is just that – personal,” said the Information Commissioner, Elizabeth Denham. “When an organization fails to protect it from loss, damage or theft it is more than an inconvenience. The law is clear, when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

The ICO also added that the airline giant has cooperated since the start of their investigation and noted that they have made improvements in their security systems since the breach occurred in the past year.

 The breach occurred in June 2018, and the GDPR came into force in May 2018, based on which , a fine of £183.39 million has been imposed on BA, which is sanctioned by the GDPR “rule of 1,5 %” of the company’s worldwide turnover (in this case, for their 2017 financial year).

After the ICO’s announcement, British Airways stated that they were “surprised and disappointed” by the penalty imposed on them. Alex Cruz, BA chairman, said that “British Airways responded quickly to a criminal act of steal customers’ data” and that "We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologize to our customers for any inconvenience this event caused."

According to the GDPR, the company has 28 days to appeal against the penalty and its findings, as well as the scale of the fine, before a final decision is taken by the ICO.  

“British Airways will be making representations to the ICO in relation to the proposed fine,” said Willie Walsh, who is the chief executive of BA’s parent company, IAG, the International Airlines Group.

If we take a look at the GPDR timeline and action, some of the most noted penalties so far were the Facebook/ Cambridge Analytica case, in which Facebook was fined $500,000 for data misuse of 87 million users. Another similar case was that of Equifax last year, in which 143 million of its customers’ financial information was exposed.

To sum up, these recent data breaches raise a red flag on the level of sophistication of hacking techniques and the new types of security flaws that the hackers are finding, and thus it goes without saying that the security systems of companies have to seriously tighten up. A data breach, can have a serious reputational damage on their company and also can also make them prone to a very bitter fine as sanctioned by the GDPR.

About the author

Ardian Berisha is the Senior Market Intelligence and Webinar Manager at PECB.He is in charge of conducting market research while developing and providing information related to ISO standards. If you have any questions, please do not hesitate to contact him: marketing.ism@pecb.com.


SUBSCRIBE TO OUR NEWSLETTER

Subscribe
Help Center

Training & Certification

Resources

Network

Examination

Certification

Company

Terms, Conditions, and Policies | Privacy Statement | Cookie Preferences

© 2024 Professional Evaluation and Certification Board. All rights reserved.

Scroll to Top