British Airways data breach
In 2018, there was a data breach that affected 380,000 to 500,000 customers of British Airways.[1][2]
Attack
The Information Commissioner's Office said that the attack had begun in June 2018.[2]
The ICO claimed the incident took place after the British Airways website was diverted to a false site. According to computer security Alan Woodward the attack was most likely carried out through a supply chain attack on a third party payment utility used by the website.[3] This script sent the submitted payment information to the attackers directly. The breach of CVV codes in the attacks support this theory, as by PCI DSS standards CVV codes are not stored,[4] and are only processed during the time payments are made which makes access to a database unlikely.
British Airways said the attack affected bookings from 21 August 2018 to 5 September 2018 with credit card details of around 380,000 total customers being compromised.[1] The attackers obtained names, street addresses, email addresses, credit card numbers, expiration dates and Card security codes - enough to allow thieves to steal from accounts.[1] 77,000 customers had their name, address, email address and detailed payment information taken, while 108,000 people had personal details compromised which did not include CVV numbers.[5]
One customer of the airline reported that his card had been used to buy items by phone at Harrods while he was in Malaysia.[2] The attempt was rejected - the customer did not think his card was exposed except by this attack.[2] .
Aftermath
British Airways urged customers to contact their banks or credit card issuer and to follow their advice.[1] NatWest said that it received more calls than usual because of the breach.[1] American Express said that customers would not need to take any action and that they would alert customers with unusual activity on their cards.[1]
Consequences for British Airways
British Airways was issued with a £183 million fine by the Information Commissioner's Office, which was the biggest fine issued by the office up to that date.[2] It was roughly 367 times the previous record, which was a £500,000 fine imposed on Facebook over the Cambridge Analytica scandal.[2]
The Facebook fine was the heaviest that could have been imposed at the time - a new law mirroring GDPR had been introduced between the Facebook and British Airways scandals.[2] The fine was 1.5% of the airline's worldwide turnover in 2017.[2] The maximum under the new laws would have been 4% of worldwide turnover, which would have approached £500 million.[2]
CEO and chairman Álex Cruz said the airline was "surprised and disappointed" in the ICO's finding.[2]
In October 2020 British Airways was fined £20 million by the Information Commissioner's Office, considerably smaller than the £183 million fine that the ICO originally intended.[6]
References
- Sandle, Paul (6 September 2018). "BA apologizes after 380,000 customers hit in cyber attack". Reuters.
- Cellan-Jones, Rory (8 July 2019). "British Airways faces record £183m fine for data breach". BBC News. Retrieved 20 May 2020.
- "British Airways breach: How did hackers get in?". BBC News. 2018-09-07. Retrieved 2022-10-21.
- https://listings.pcisecuritystandards.org/documents/PCI_DSS-QRG-v3_2_1.pdf
- "BA investigation into website hack reveals more victims". BBC News. 2018-10-25. Retrieved 2022-11-04.
- Tidy, Joe (16 October 2020). "British Airways fined £20m over data breach". BBC News. Retrieved 16 October 2020.