In 2021 the British Airways data breach action was resolved on confidential terms following successful mediation and negotiation. The resolution did not include any admission of liability by the airline. Keller Postman UK represented many clients in this case. In fact, we were one of only two firms to pursue legal action against British Airways and we were delighted to have secured a settlement for those affected.
While we are prohibited from discussing the terms of the settlement, this page explains how the data breach happened, the facts of the case, and the consequences for the affected customers.
Almost 400,000 British Airways customers had their personal details and bank cards stolen in one of the most severe cyber-attacks in UK history. The breach happened when hackers managed to access the British Airways website and mobile app. Cyber-criminal gang Magecart is believed to be behind the British Airways data breach.
Because of the British Airways data breach, many customers were forced to change their bank accounts or credit cards, while others reported theft, fraud, and emotional damage. Cybercriminals diverted some passengers to a fake website where hackers harvested further details. Some BA customers reported fraudulent activity on their credit/bank cards. The Daily Mail reported that the customer data stolen from British Airways had been listed on the dark web for sale by the Russian-led criminal group Magecart.
Following an investigation into the 2018 data breach, British Airways was fined £20 million by the Information Commissioner’s Office (ICO). But this payment was not used to compensate victims. In fact, any money received by the ICO in data breach cases goes to the Treasury. So, the only way victims of the British Airways data breach could get compensation for any harm and/or distress experienced was to take legal action against the airline.
According to the ICO, British Airways was processing a significant amount of personal data without adequate security measures in place. ICO investigators believe that British Airways should have identified weaknesses in its security and resolved them. If this had happened, according to the ICO, the airline would have prevented the 2018 cyber-attack. According to the ICO, the measures British Airways could have taken to mitigate or prevent the risk would not have entailed excessive cost or technical barriers.
Speaking about this case, the then Information Commissioner Elizabeth Denham said:
“People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure.
“Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20m fine – our biggest to date.
“When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.”
In June 2019 the ICO issued British Airways with a notice of intent to fine. At this stage, British Airways was facing a record £183 million fine by the Information Commissioner’s Office (ICO). The penalty would have been equivalent to 1.5 per cent of British Airway’s global turnover.
However, the ICO considered representations from British Airways before setting the final penalty at £20 million. This penalty was issued under the Data Protection Act 2018 for infringements of the GDPR.
See our answers to the FAQs we get asked about the British Airways Data Breach.
Cyber-criminal gang Magecart is widely believed to be behind the British Airways data breach.
All customers who booked flights online or via the app between 21 April 2018 and 28 July 2018 and/or 21 August 2018 and 5 September 2018 (using a debit or credit card) were affected by the breach and were eligible to join our British Airways data breach compensation claim.
The hack went undetected for two weeks before the airline told its customers about the breach and reported the incident to the police. British Airways admitted that the hackers spent more than a fortnight accessing data online.
In June 2019 the ICO issued British Airways with a notice of intent to fine. At this stage, British Airways was facing a record £183 million fine by the Information Commissioner’s Office (ICO). The penalty would have been equivalent to 1.5 per cent of British Airway’s global turnover. However, as part of the UK’s regulatory process, the ICO considered representations from British Airways and took the economic impact of COVID-19 on the airline into account before setting the final penalty at £20 million.
Russian hackers may have made money selling data stolen from British Airways customers. The Daily Mail reported that customer data stolen from British Airways was listed on the dark web for sale by Russian-led criminal group Magecart. According to the Daily Mail, hackers were charging between £7 and £40 (approximately) for each card’s worth of information. However, British Airways said it did not receive reports of fraud resulting from the attack on its own systems.
Yes, British Airways experienced another data breach in 2019. Security researchers uncovered unencrypted links within British Airways’ e-ticketing process. The vulnerability may have also exposed sensitive passenger information such as email addresses, names, phone numbers and more.