CYFOR Blog

The British Airways data breach has cost the company a record fine of £183m.

As reported by the BBC, British Airways has received a fine by the Information Commissioner’s Office (ICO) to the tune of £183m for a severe data breach of its systems. The largest penalty it had handed out and the first to be made public under the new General Data Protection Regulation (GDPR) rules.

The ICO said the British Airways data breach took place after users of the BA website were diverted to a fraudulent site. Through this false site, details of around 500,000 customers were harvested by the attackers. The ICO’s investigation found that a variety of information was compromised by poor cyber security arrangements at the company. These included the login, credit card, and travel booking details as well as name and address information.

The incident was first disclosed on 6th September 2018 and BA initially declaring that approximately 380,000 transactions had been affected, but the stolen data did not include travel or passport details.

At the time, British Airways said hackers had carried out a “sophisticated, malicious criminal attack” on its website.

This is very welcome news, although it should be pointed out that the ICO has issued British Airways with a notice of their intention to fine them a record amount, this is not the actual penalty that will no doubt be negotiated down once ICO receives sufficient media coverage.  One thing is for certain, the eventual penalty will have an impact on the balance sheet and not just the trifling £500,000 fine cap, pre-GDPR. The head-in-sand mentality shown by BA is evidenced in their failure to act for around 30 days after being notified of the vulnerability by a cyber security professional.

“Last year I complained to British Airways about third-party front-end scripts that were leaking booking details to third parties, the same issue that led to the credit card breach. Now they’re being fined £183m by the ICO.”