View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
July 8, 2019updated 06 Jul 2022 10:05am

BA Facing £183.39M Fine for 2018 Data Breach

“When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience"

By CBR Staff Writer

British Airways faces a £183.39 million fine for failing to protect customers’ financial and personal data following a Magecart-style card skimming attack on its website last summer – which required just 22 lines of code to execute.

The Information Commissioner’s Office (ICO) found that a “variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well names and addresses.

Announcing her intention to levy the fine under GDPR Information Commissioner Elizabeth Denham said: “When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience.”

“That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

Nearly half-a-million customers were affected.

British Airways now has the opportunity to “make representations” to the ICO about its findings and the proposed fine. The decision to hit BA with a substantial fine for the breach was roundly welcomed by security professionals.

Nik Whitfield, CEO, Panaseer, said: “This is game changing for any company serving EU customers, and great news for consumers’ privacy.”

Content from our partners
Rethinking cloud: challenging assumptions, learning lessons
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business

“This shareholder affecting penalty creates the business case for global companies to invest the substantial sums required to continuously assure that their security controls are adequate, present and working effectively – too often we see data breaches enabled by fundamental security measures not being switched on. New, automated approaches to assurance, such as Continuous Controls Monitoring, will become standard practice, in the same way ERP systems have for the finance function.”

British Airways Fined: Company to Appeal

The British Airways chairman, Álex Cruz, told press that the airline was “disappointed” by the initial finding, saying: “British Airways responded quickly to a criminal act to steal customers’ data.”

“We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologise to our customers for any inconvenience this event caused.”

Willie Walsh, the chief executive of BA’ owner International Airlines Group (IAG), said the airline would appeal the penalty.

Cybersecurity company RiskIQ, which identified the script used in the attack late last year, said at the time: “The infrastructure used in this attack was set up only with British Airways in mind and purposely targeted scripts that would blend in with normal payment processing to avoid detection.”

“We saw proof of this on the domain name as well as the drop server path. The domain was hosted on which is located in Romania and is, in fact, part of a VPS provider named Time4VPS based in Lithuania. The actors also loaded the server with an SSL certificate. Interestingly, they decided to go with a paid certificate from Comodo instead of a free LetsEncrypt certificate, likely to make it appear like a legitimate server.”

Such card skimming attacks typically work by embedding custom JavaScript into e-commerce page. Whenever card data is entered into a form, the skimmer copies the form and sends the stolen data to a drop server. They remain rampant: as first reported by Computer Business Review on Friday, 962 ecommerce websites are believed to have been attacked in just 24 hours last week in a highly automated attack.

“British Airways has cooperated with the ICO investigation and has made improvements to its security arrangements since these events came to light”, the ICO said, adding, “the company will now have opportunity to make representations to the ICO as to the proposed findings and sanction.”

Read this: Card Details Stolen from 962 Websites in 24-Hours Magecart Spree

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.