UK ICO British Airways Breach

On Sep. 7, UK ICO, NCSC update on British Airways data breach.

  • Confirmed British Airways had made them aware of an incident, enquiries ongoing.

BA Response

  • CEO Alex Cruz said hackers carried out a sophisticated, malicious, criminal attack.
  • The personal or financial details of customers making bookings were compromised.
  • 380k transactions were affected, but data did not include travel or passport details.
  • BA committed to working with customers who have been financially affected by the attack, to compensate them for any financial hardship that they may have suffered.


  • BA said breach took place between 22:58 BST on Aug. 21 and 21:45 BST on Sep. 5.
  • The shares in British Airways parent group IAG closed 1.4% lower on Sep. 7, 2018.
  • BA said customers affected by breach had been notified on Thursday night (Sep. 6).
  • Breach only affects people who bought tickets during the timeframe provided by BA.
  • Data stolen included name, email address, credit card information (ie the credit card number, expiration date and the three digit CVV code on the back of the credit card).
  • BA insists it did not store the CVV numbers, prohibited under international standards.
  • Since BA said attackers managed to obtain CVV numbers, security researchers have speculated that card details were intercepted, rather than harvested from database.

Potential Fine

  • BA's data breach took place after introduction of the new Data Protection Act, which includes provisions of the new European General Data Protection Regulation (GDPR).
  • Under the new regulations the maximum penalty for a firm hit with a data breach is a fine of either £17 mn or 4% of global turnover, whichever is the greater amount.
  • In the year ended Dec. 31 2017, BA total revenue was £12.2 bn, meaning company
    could face fine of around £500 mn if Information Commissioner's Office takes action.

NCSC Advice

  • The NCSC issued advice for customers who have used website or mobile application.
  • If you used BA website or mobile application to purchase services during the period stipulated, recommend contacting financial institution to check for irregular activity.
  • Should monitor financial accounts for any suspicious transactions, customers should ensure their passwords are secure or consider changing passwords for key accounts.