Skip to main content

British Airways hit with a massive fine for 2018 data breach

A data breach in 2018 that saw hackers steal personal data belonging to hundreds of thousands of British Airways customers has cost the company nearly 184 million British pounds (about $230 million), making it the biggest fine ever imposed for an incident of this kind.

The U.K.’s Information Commissioner’s Office (ICO) said it handed down the fine for breaches of data protection law that it said resulted from “poor security arrangements” at the company.

Recommended Videos

The breach took place during the summer of 2018, and affected anyone who used B.A.’s website or mobile app to book a flight or vacation. Hackers diverted customers to a fraudulent site from which they were able to harvest customer details that included names, addresses, log-in information, payment card numbers, and travel booking details. Initial reports said that around 380,000 people had been affected, but the ICO this week put the number at 500,000.

Information Commissioner Elizabeth Denham said of the incident: “People’s personal data is just that — personal. When an organization fails to protect it from loss, damage, or theft it is more than an inconvenience.

“That’s why the law is clear — when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

The airline was understandably upset with the record fine, with B.A. chairman and chief executive Alex Cruz saying his company was “surprised and disappointed” by the ICO’s findings, adding, “British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft.”

The largest fine before now was handed out to Facebook in 2018 for its role in the Cambridge Analytica scandal. At 500,000 British pounds (about $625,000), that’s considerably lower than B.A.’s penalty. Larger fines have been made possible by new data protection laws that give greater powers to the agencies that deal with such cases.

The new laws mean businesses can be fined up to 4% of their annual turnover. With B.A.’s fine equaling 1.5% of its worldwide turnover in 2017, it clearly could have turned out a lot worse for the airline. B.A. has four weeks to appeal the ICO’s decision.

Trevor Mogg
Contributing Editor
Not so many moons ago, Trevor moved from one tea-loving island nation that drives on the left (Britain) to another (Japan)…
Hacking-as-a-service lets hackers steal your data for just $10
A depiction of a hacker breaking into a system via the use of code.

A new (and cheap) service that offers hackers a straightforward method to set up a base where they manage and perform their cyber crimes has been discovered -- and it’s gaining traction.

As reported by Bleeping Computer, security researchers unearthed a program called Dark Utilities, effectively providing a command and control (C2) center.

Read more
A data breach can cost millions of dollars — and you might be paying it
A dark mystery hand typing on a laptop computer at night.

According to a recent report from IBM Security, data breach costs are constantly on the rise. Unfortunately, this spells bad news not just for the companies involved, but also for the customers -- in more ways than one.

The report, which states that an average data breach is now estimated to cost $4.4 million, exposes the fact that the skyrocketing costs of data breaches directly affect the prices paid by the end customer.

Read more
Personal data of 69 million Neopets users is now up for sale after a data breach
Person typing on a computer keyboard.

Neopets, an aged website that lets users keep virtual pets and take care of them, just suffered a major data breach. Aside from the personal data of over 69 million users, the hacker was able to obtain the website's source code.

This isn't the first time Neopets has faced a massive leak, but this time around, user data is currently being sold for crypto -- and the leak includes more than just usernames and passwords.

Read more