Stolen data from 380,000 British Airways customers

Posted date 07/09/2018

The British airline British Airways has reported the theft of data from 380,000 customers through its website and the mobile application.

The company clarified that customer information, both personal and financial, was compromised from 23:58 on August 21 to 22:45 on September 5 (Spanish time).

The president and CEO of the airline, Alex Cruz, said that the relevant authorities have been made aware of what happened. He also assured that the situation has already been solved and that at the moment his website operates normally.

[Update 13/09/2018] RiskIQ company security researcher Yonathan Klijnsmahas provided new information about this security breach, relating directly to the Magecart group. Apparently, the attackers managed to take control of the server, hiding the Javascript code inside the Modernizr library, responsible for collecting the information, both on the company's website and in the mobile application.

[Update 29/10/2018] Subsequent investigations have revealed that attackers may have stolen additional personal data and are notifying cardholders of 77,000 previously unannounced payment cards that name, billing address, email address, card payment information including card number, expiration date and CVV (Card Verification Value) have been potentially compromised, and another 108,000 without CVV. Potentially affected customers were those who only made reservations between 21 April and 28 July 2018, and who used a payment card. In addition, they have discovered that of the 380,000 payment card data initially announced as affected by the attack, only 244,000 were affected.

[Update 12/11/2018] The airline has admitted that, since September 2018, 185,000 more people could have been affected, leaving the total number at 565,000 customers. The time frame for informing the additional 185,000 victims may have exposed them to an increased risk of cyber fraud, as their data has been uncovered and has remained unaltered for longer.

[Update 08/07/2019] British Airways faces a record fine of GBP 183 million (EUR 205 million) imposed by the Information Commissioner's Office (ICO) for breaching the General Data Protection Regulations (GDPR). The ICO investigation has revealed that a wide variety of information was compromised by poor security measures at the company, such as login, payment card and travel booking details, as well as name and address. The company will now have the opportunity to submit observations to the ICO regarding the proposed findings and sanctions.

[Update 20/10/2020] The Information Commissioner's Office (ICO) has imposed a fine of 20 million pounds on the airline, British Airways (BA) for breaching some guidelines of the Data Protection Act that affected approximately 429,000 of its customers and employees. The investigations justify that BA could have identified and resolved some of the weaknesses in its security with the measures available at the time, thus avoiding incidents such as the one in 2018.