British Airways data breach

The British Airways data breach was a 2018 cyberattack in which the personal and financial data of hundreds of thousands of customers who made bookings on British Airways' website and mobile application was stolen. Subsequent investigations by the UK Information Commissioner's Office (ICO) found that the attacker was in a position to access personal data relating to about 430,000 individuals, including roughly 244,000 customers whose names, addresses, payment card numbers, expiry dates and card verification values (CVVs) were exposed.

The attacker first accessed British Airways' network in June 2018 using compromised credentials for a third-party supplier and then moved laterally through a Citrix-based remote access system after exploiting poor internal security controls. They obtained highly privileged account details, discovered that British Airways had been logging payment card data for certain redemption transactions in plaintext since 2015, and later modified JavaScript on the airline's payment pages so that card data entered by customers was copied to an attacker-controlled website while bookings appeared to complete normally. Cybersecurity firm RiskIQ, among others, linked the attack to the web-skimming group known as Magecart.

The breach was one of the first high-profile tests of the General Data Protection Regulation (GDPR) for a major airline. In 2019 the ICO announced its intention to fine British Airways £183.39 million; after further analysis and consideration of mitigating factors this was reduced to a £20 million penalty issued in October 2020. The incident also led to group litigation on behalf of affected customers, described by claimant law firms as the largest personal-data group action in UK history, which was settled out of court in 2021.

Context

Waterside, the head office building of British Airways

British Airways (BA) is the flag carrier of the United Kingdom. It is headquartered in London, England at Waterside, near its main hub at Heathrow Airport. Since 2011, has been part of the International Airlines Group (IAG), a multinational holding company that also owns Iberia, Aer Lingus and other carriers.

At the time of the 2018 data breach British Airways’ reputation had been affected by several high-profile operational disruptions, including a major IT systems outage in May 2017 that led to hundreds of flight cancellations from Heathrow and Gatwick and stranded tens of thousands of passengers worldwide. ^{[1] [2]}

The data breach also occurred soon after the General Data Protection Regulation (GDPR) came into force across the European Union on 25 May 2018. ^[3] GDPR introduced stricter obligations on organisations that act as controllers or processors of personal data and allowed regulators to impose administrative fines of up to 4 percent of annual worldwide turnover or €20 million, whichever is higher. ^[4] Airlines were regarded as particularly exposed to these rules because they routinely process large volumes of sensitive personal information, including passenger identity details, contact information and payment card data, across multiple jurisdictions. ^[5]

Timeline

On 22 June 2018, an attacker gained access to British Airways Network by means of compromised login details – a stolen username and password – from an employee of Swissport, a third-party cargo handler. ^[6] The compromised account did not have multi-factor authentication enabled, a security measure that requires a second step in addition to a password, such as a code sent to a phone. ^[6] BA later found that the attacker had compromised five such accounts of Swissport. ^[6]

The accounts only allowed the attack to access a limited set of applications and data within a virtual environment provided by the Citrix platform, which British Airways used to let staff and partners run internal applications over the internet. However the attacker was able to break out of that environment by unknown means. ^[6] After breaking out of the environment, the attacker found a file containing the username and password of a highly privileged user saved to a file that could be accessed by any user of the domain. ^[6]

On 26 June 2018, the attacker was able to find the username and password for a database System Administrator. ^[6]

On 26 July 2018, the attacker was able to access text files containing payment card details for British Airways redemption transactions. The UK Information Commissioner's Office's report highlighted this issue:

The logging and storing of these card details (including, in most cases, CVV codes) was not an intended design feature of British Airways' systems and was not required for any particular business purpose.

It was a testing feature that was only intended to operate when the systems were not live, but which was left activated when the systems went live. British Airways has explained that this card data was being stored in plaintext (as opposed to in encrypted form) as a result of human error. This error meant that the system had been unnecessarily logging payment card details since December 2015.

The impact of this failure was mitigated to some extent by the fact that the retention period of the logs was 95 days, which meant that the only accessible card details were those logged within the preceding 95 days. Nevertheless, the details of approximately 108,000 payment cards were potentially available to the Attacker. ^[6]

Because this information was stored in plaintext – not encrypted – anyone who could read the logs could see the full card details. ^[6]

Between the 14th August 2018 and the 25th August 2018, the attacker was able to add 22-line of JavaScript to the BA website so that customer payment information was funnelled to a website controlled by the attacker. ("BAways"). ^[6]

Discovery

On 5 September 2018 a third party informed British Airways that data from its website was being sent to a third-party site, indicating that the site had been compromised. ^[6] Within 90 minutes British Airways removed the malicious code, and 20 minutes later it blocked access to the attacker’s domain.

British Airways has not publicly identified the third party. According to reporting in The Independent, the airline said only that “a third party noticed some unusual activity and informed us about it”, and the newspaper understood the third party to be a company, possibly another airline, that had seen a high volume of attempted fraudulent transactions and traced them back to British Airways customers. ^[7]

On the 6th of September British Airways informed the ICO and 500,000 affected customers. ^[6] British Airways issued a public statement saying that it was “investigating, as a matter of urgency, the theft of customer data from its website, ba.com and the airline’s mobile app”, and that the stolen data did not include travel or passport details but concerned around 380,000 payment cards. ^[8] The statement said that the breach had been resolved, that the website was working normally, and that British Airways had notified the police and relevant authorities and was contacting affected customers. ^[8]

On the 7th of September British Airways said the attack affected bookings from 21 August 2018 to 5 September 2018 with credit card details of around 380,000 total customers being compromised. ^[9] The attackers obtained names, street addresses, email addresses, credit card numbers, expiration dates and card security codes – enough to allow thieves to steal from accounts. ^[9] 77,000 customers had their name, address, email address and detailed payment information taken, while 108,000 people had personal details compromised which did not include card security codes. ^[10]

British Airways urged customers to contact their banks or credit card issuer and to follow their advice. ^[9] NatWest said that it received more calls than usual because of the breach. ^[9] American Express said that customers would not need to take any action and that they would alert customers with unusual activity on their cards. ^[9]

Perpetrators

Cybersecurity firm RiskIQ, as reported by InfoQ, attributed the British Airways compromise to Magecart, a loose collective of criminal groups known for injecting web-skimming JavaScript into online payment pages. Wired likewise described the attackers as a hacking group called Magecart, which added 22 lines of code to BA’s checkout page to divert payment details to the domain. ^{[11] [12]}

Impact

The attacker was in a position to access the personal data of 429,612 individuals ^[6] , including the name, address, card number and CVV number of 244,000 BA customers. ^[6] In addition 77,000 people's card number and CVV were potentially leaked and another 108,000 peoples card number only. ^[6]

Legal consequences

In 2019 the UK Information Commissioner's Office (ICO) announced it intended to issue a fine for 1.5% of the airline's 2017 turnover, amounting to £183.39 million, ^[13] for what it described as "poor security arrangements" that had allowed the attacker to access customer data. ^[6] Subsequent legal analysis noted that this provisional figure was calculated using both the ICO’s published Regulatory Action Policy (RAP) and an unpublished Draft Internal Procedure (DIP) that based fines on an organisation’s turnover; after BA objected to the use of the DIP, the ICO recalculated the penalty using only the RAP. ^[14] Under that framework the ICO set a starting figure of £30 million, then reduced it by £6 million to reflect mitigating steps taken by BA and by a further £4 million under its policy on financial hardship during the COVID-19 pandemic, resulting in the final £20 million fine issued on 16 October 2020. ^{[14] [13]}

Information Commissioner Elizabeth Denham was quoted as saying:

“People’s personal data is just that – personal. When an organization fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights" ^[15]

In 2021 the law firm Pogust and Goodhead announced that they were representing a group of BA customers who had been affected by the breach in "the largest group-action personal-data claim in UK history". ^[16] The case was settled out of court. ^[17]

References

1. Smolaks, Max (11 February 2019). "BA and CBRE settle dispute over 2017 data center outage". DataCenterDynamics. Retrieved 2025-11-23.
2. "British Airways cancels all flights from Gatwick and Heathrow due to IT failure". The Guardian. 27 May 2017. Retrieved 2025-11-23.
3. "The General Data Protection Regulation applies in all Member States from 25 May 2018". EUR-Lex. 24 May 2018. Retrieved 2025-11-23.
4. "What is GDPR? The EU's new data protection law". GDPR.eu. Retrieved 2025-11-23.
5. Breen, Garrett (23 May 2018). "The impact of GDPR on the aviation industry". William Fry. Retrieved 2025-11-23.
6. ICO. "ICO - action we've taken - BA" (PDF).
7. Calder, Simon (8 September 2018). "BA data breach: What does the British Airways hack mean for passengers?". The Independent. Retrieved 2025-11-23.
8. "Theft of customer data from British Airways' website and mobile app: info from 380,000 credit cards stolen". Aviation24. 6 September 2018. Retrieved 2025-11-23.
9. Sandle, Paul (6 September 2018). "BA apologizes after 380,000 customers hit in cyber attack". Reuters .
10. "BA investigation into website hack reveals more victims". BBC News. 2018-10-25. Retrieved 2022-11-04.
11. Stokel-Walker, Chris. "A simple fix could have saved British Airways from its £183m fine". Wired. ISSN   1059-1028 . Retrieved 2024-11-26.
12. "British Airways Data Breach Conducted via Malicious JavaScript Injection". InfoQ. Retrieved 2025-11-23.
13. Tidy, Joe (16 October 2020). "British Airways fined £20m over data breach". BBC News . Retrieved 16 October 2020.
14. Hagedorn, Kelly (19 October 2020). "Client Alert: British Airways data breach – what happened to £163 million of the proposed fine?". Jenner & Block. Retrieved 2025-11-23.
15. https://cs.brown.edu/courses/csci2390/2019/assign/gdpr/wyou-ba.pdf.{{cite web}}: Missing or empty |title= (help)
16. Rodgers, Jason (2021-01-15). "British Airways Data Breach Claim Becomes Biggest Of Its Kind In The UK". Pogust Goodhead. Retrieved 2024-11-26.
17. "British Airways data-breach compensation claim settled". BBC News. 2021-07-06. Retrieved 2024-11-26.