British Airways data breach
The 2018 British Airways cyberattack was a cyberattack that affected 380,000 to 500,000 customers of British Airways.[1][2]
Attack
British Airways said the attack afffected bookings from 21 August 2020 and 5 September 2020 with credit card details of around 380,000 customers being compromised.[1] The attackers obtained names, street addresses, email addresses, credit card numbers, expirty dates and Ccard security codes - enough to allow thieves to steam from accounts.[1]
One customer of the airline reported that his card had been used to buy items by phone at Harrods while he was in Malaysia.[2] The attempt was rejected - the customer did not think his card was exposed except by this attack.[2]
Aftermath
British Airways urged customers to contact their banks or credit card issuer and to follow their advice.[1] NatWest said that it received more calls than usual because of the breach.[1] American Express said that customers would not need to take any action and that they would alert customers with unusual activity on their cards.[1]
Analysis
The Information Commissioner's Office said that the attack had begun in June 2018.[2]
Consequences for British Airways
British Airways was issued with a £183 million fine by the Information Commissioner's Office, which was the biggest fine issued by the office up to that date.[2] It was roughly 367 times the previous record, which was a £500,000 fine imposed on Facebook over the Cambridge Analytica scandal.[2]
The Facebook fine was the heaviest that could have been imposed at the time - a new law mirroring GDPR had been introduced between the Facebook and British Airways scandals.[2] The fine was 1.5% of the airline's worldwide turnover in 2017.[2] The maximum under the new laws would have been 4% of worldwide turnover, which would have approached £500 million.[2]
CEO and chairman Álex Cruz said the airline was "surprised and disappointed" in the ICO's finding.[2]