fbpx

British Airways Data Breach  

THIS ACTION IS NOW CLOSED

In 2021 the British Airways data breach action was resolved on confidential terms following successful mediation and negotiation. The resolution did not include any admission of liability by the airline.  We represented many clients in this case. In fact, we were one of only two firms to pursue legal action against British Airways, and we were delighted to have secured a settlement for those affected.  

While we are prohibited from discussing the terms of the settlement, this page explains how the data breach happened, the facts of the case, and the consequences for the affected customers.  

The 2018 British Airways data breaches

 
British Airways Data Breach: booking website and app

Almost 400,000 British Airways customers had their personal details and bank cards stolen in one of the most severe cyber-attacks in UK history. The breach happened when hackers managed to access the British Airways website and mobile app. Cyber-criminal gang Magecart is believed to be behind the British Airways data breach.   

British Airways Data Breach: reward bookings
When investigating the first data violation, a second data breach was also spotted at the airline. In this instance, 77,000 people had their names, addresses, email addresses and detailed payment information taken. The breach affected customers making reward bookings. 

Why did people take legal action against British Airways?

Because of the British Airways data breach, many customers were forced to change their bank accounts or credit cards, while others reported theft, fraud, and emotional damage. Cybercriminals diverted some passengers to a fake website where hackers harvested further details. Some BA customers reported fraudulent activity on their credit/bank cards.  The Daily Mail reported that the customer data stolen from British Airways had been listed on the dark web for sale by the Russian-led criminal group Magecart. 

Following an investigation into the 2018 data breach, British Airways was fined £20 million by the Information Commissioner’s Office (ICO). But this payment was not used to compensate victims. In fact, any money received by the ICO in data breach cases goes to the Treasury. So, the only way victims of the British Airways data breach could get compensation for any harm and/or distress experienced was to take legal action against the airline. 

The ICO’s investigation and fine

According to the ICO, British Airways was processing a significant amount of personal data without adequate security measures in place. ICO investigators believe that British Airways should have identified weaknesses in its security and resolved them. If this had happened, according to the ICO, the airline would have prevented the 2018 cyber-attack. According to the ICO, the measures British Airways could have taken to mitigate or prevent the risk would not have entailed excessive cost or technical barriers. 

Speaking about this case, the then Information Commissioner Elizabeth Denham said: 

“People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure. 

“Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20m fine – our biggest to date. 

“When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.” 

In June 2019 the ICO issued British Airways with a notice of intent to fine. At this stage, British Airways was facing a record £183 million fine by the Information Commissioner’s Office (ICO). The penalty would have been equivalent to 1.5 per cent of British Airway’s global turnover. 

However, the ICO considered representations from British Airways before setting the final penalty at £20 million. This penalty was issued under the Data Protection Act 2018 for infringements of the GDPR. 

British Airways Data Breach Timeline

  • 21 August 2018 – 5 September 2018
    British Airway's systems are compromised in a huge cyber-attack. The hack went undetected for two weeks before the airline told its customers about the breach and reported the incident to the police.
  • 6 September 2018
    British Airways announces that it has detected the theft of customer data from its website and mobile app in a (now deleted) tweet.
  • 7 September 2018
    Various media reports claim that about “380,000 transactions are affected, but that the stolen data did not include travel or password details.” British Airways admits that payment card numbers, expiry dates, and CVV security codes were affected by the breach. Online bank Monzo proactively cancels affected customer’s cards and issues replacements.
  • 25 October 2018
    A second data breach is uncovered at British Airways. An additional 185,000 transactions are found to have been compromised between April and July 2018. As such, the number of affected people increases from 380,000 to 429,000.
  • 8 July 2019
    The ICO releases a statement on its “intent to fine” British Airways £183.39 million for the data breach.
  • 4 October 2019
    British Airways customers are given the green light by the Court to bring compensation claims against the airline over the data breach. At the High Court, Mr Justice Warby granted a group litigation order (GLO), paving the way for the group action against BA. A GLO is an order of the court in England and Wales. It allows people who have suffered common or related issues to have their cases managed collectively via a group action.
  • 16 October 2019
    The ICO fines British Airways £20 million. The reduced fine was issued after the airline made representations to the ICO.
  • 6 July 2021
    British Airways settles a case brought by customers and staff affected by the 2018 data breach.

Your questions answered

See our answers to the FAQs we get asked about the British Airways Data Breach.

Who was behind the 2018 BA data breach?

Cyber-criminal gang Magecart is widely believed to be behind the British Airways data breach.   

Who was eligible to make a British Airways data breach claim?

All customers who booked flights online or via the app between 21 April 2018 and 28 July 2018 and/or 21 August 2018 and 5 September 2018 (using a debit or credit card) were affected by the breach and were eligible to join our British Airways data breach compensation claim. 

How long did it take BA to notice the hack?

The hack went undetected for two weeks before the airline told its customers about the breach and reported the incident to the police. British Airways admitted that the hackers spent more than a fortnight accessing data online. 

Why was BA’s fine reduced by the ICO?

In June 2019 the ICO issued British Airways with a notice of intent to fine. At this stage, British Airways was facing a record £183 million fine by the Information Commissioner’s Office (ICO). The penalty would have been equivalent to 1.5 per cent of British Airway’s global turnover. However, as part of the UK’s regulatory process, the ICO considered representations from British Airways and took the economic impact of COVID-19 on the airline into account before setting the final penalty at £20 million. 

Did hackers make money from the BA data breach?

Russian hackers may have made money selling data stolen from British Airways customers. The Daily Mail reported that customer data stolen from British Airways was listed on the dark web for sale by Russian-led criminal group Magecart. According to the Daily Mail, hackers were charging between £7 and £40 (approximately) for each card’s worth of information. However, British Airways said it did not receive reports of fraud resulting from the attack on its own systems. 

Did Bristish Airways experience another data breach?

Yes, British Airways experienced another data breach in 2019. Security researchers uncovered unencrypted links within British Airways’ e-ticketing process. The vulnerability may have also exposed sensitive passenger information such as email addresses, names, phone numbers and more.