2018 British Airways cyberattack
The 2018 British Airways cyberattack was a cyberattack that affected 380,000 to 500,000 customers of British Airways.[1][2]
Attack
British Airways said the attack affected bookings from 21 August 2018 and 5 September 2018 with credit card details of around 380,000 customers being compromised.[1] The attackers obtained names, street addresses, email addresses, credit card numbers, expiration dates and Ccard security codes - enough to allow thieves to steal from accounts.[1]
One customer of the airline reported that his card had been used to buy items by phone at Harrods while he was in Malaysia.[2] The attempt was rejected - the customer did not think his card was exposed except by this attack.[2]
Aftermath
British Airways urged customers to contact their banks or credit card issuer and to follow their advice.[1] NatWest said that it received more calls than usual because of the breach.[1] American Express said that customers would not need to take any action and that they would alert customers with unusual activity on their cards.[1]
Analysis
The Information Commissioner's Office said that the attack had begun in June 2018.[2]
Consequences for British Airways
British Airways was issued with a £183 million fine by the Information Commissioner's Office, which was the biggest fine issued by the office up to that date.[2] It was roughly 367 times the previous record, which was a £500,000 fine imposed on Facebook over the Cambridge Analytica scandal.[2]
The Facebook fine was the heaviest that could have been imposed at the time - a new law mirroring GDPR had been introduced between the Facebook and British Airways scandals.[2] The fine was 1.5% of the airline's worldwide turnover in 2017.[2] The maximum under the new laws would have been 4% of worldwide turnover, which would have approached £500 million.[2]
CEO and chairman Álex Cruz said the airline was "surprised and disappointed" in the ICO's finding.[2]
In October 2020 British Airways was fined £29 million by the Information Commissioner's Office, considerably smaller than the £183 million fine that the ICO originally intended.[3]
References
- Sandle, Paul (6 September 2018). "BA apologizes after 380,000 customers hit in cyber attack". Reuters.
- Cellan-Jones, Rory (8 July 2019). "British Airways faces record £183m fine for data breach". BBC News. Retrieved 20 May 2020.
- Tidy, Joe (16 October 2020). "British Airways fined £20m over data breach". BBC News. Retrieved 16 October 2020.