BRITISH AIRWAYS DATA BREACH 1

British Airways Data Breach

Name

Institution

Course Name

Instructor’s Name

Date
BRITISH AIRWAYS DATA BREACH 2

British Airways Data Breach

Introduction

Recently, there has been an increase in the incidences of data breaches across the globe.
The associated costs of these cases can be hefty and at times threaten the ability of most
companies to continue with their operations. Cybercriminals often steal valuable information,
including but not limited to intellectual property, financial information, health information,
personally identifiable information, legal information, and information technology security data.
They use or sell this information for identity theft, marketing, or commit fraud. It is therefore
important for companies to identify possible threats and reduce their exposure. In 2018, British
Airways (BA) experienced a severe data breach, losing customer data for about 380,000 booking
transactions in the process. BA is the leading international airline which serves more than 600
destinations globally. The company takes pride in delivering a full-service experience.
According to the CEO, Sean Doyle, being the UK's flag carrier, British Airways must create a
sustainable future for the planet and aims to achieve carbon net-zero come 2050
(https://www.britishairways.com/en-mu/information/about-ba ). This paper will examine the
expensive data breach that happened to BA in 2018, how it occurred, the implications, and how
the company responded.

Case Summary

In 2018, British Airways reported that it had suffered a data breach that compromised
sensitive payment card details, names, addresses, and emails. The incident happened between
August 21 to September 5 2021 and about 380,000 booking transactions were impacted
(Whitetaker, 2018). The attack was termed “malicious and sophisticated” and it was the first time
the airline was hacked since its establishment in 1919. In response, the Information
Commissioners' Office (ICO) fined the leading carrier in the UK £20m to compensate the
customers (Whitetaker, 2018). This fine was the highest ever levied on a firm under the data
protection law.

Analysis of the Issues, Causes and Factors

On Friday, September 6th 2018, BA declared that they had experienced a breach that led
to the theft of customer details. In an interview with BBC news, it was revealed that more than
380,000 customers were affected and the compromised data included payment and personal
information; passport data were never tampered with (Enoma, 2020). Responding to customers'
questions, British Airways posted an article that included the following pieces of information:
payments were affected between 21st August (22:58) and 5th September 2018 (21:45), payments
via its portal were affected, and payments via its mobile app were impacted (Enoma, 2020).
More so, the report uncovered that information was stolen from the company’s mobile app and
website. However, there was no mention of anything that showed the breached affected payment
BRITISH AIRWAYS DATA BREACH 3

details stored on the website such as servers or databases. The attacker was found to have
accessed personal data, including usernames and pin numbers of up to 612 BA executive club
accounts; 244,000 CVV numbers, names, card numbers, and addresses of BA customers;
username and passwords of administrator and employee accounts; 108,000 card numbers only;
and 77,000 card number and CVV only (ICO, 2020).

Since the report only covered customer information stolen from payment forms, megacart
quickly became the major suspect. This is for the reason that the skimmer code inserted into the
BA’s website is an improved version of the group’s characteristic script. According to Mathew
(2021), megacart inserts scripts meant to steal private data that customers fill in online payment
forms on e-commerce sites directly or via conceded third-party suppliers utilized by these
websites. This was linked to an evolution of the strategies used in the latest Ticketmaster breach,
which is connected to megacart, although with an extra innovation which directly targets the
victim’s site (Nast, 2018). Furthermore, some of the invasion infrastructures such as the domain
name and the web server are also linked to the group. The company’s mobile app and website
employed modernizr JavaScript to operate. There was a loophole in modernizr’s coding that the
company knew but did not address it. Megacart was suspected to have inserted malicious code
into this loophole that allowed them to send passengers from acceptable British Airways
websites to a fake one, resulting in the loss of personal information. This kind of invasion is
termed a "cross-site scripting attack (Klinjsma, 2020)”. An employee who worked for Swissport
in Tobago and Trinidad was thought to provide log-in details that allowed megacart to gain
access to the system. The attacker used these flawed credentials to access the British Airways
website through the Citrix remote access entry. Thereafter, the group moved across the network,
granting credentials to access the administrative accounts and ultimately modified the modernizr.

The data breach that hit British Airways was considered under the regulatory arm of the
International Commissioner’s Office (ICO), the General Data Protection Regulation (GDPR), for
overlooking customers' security. A year later, the GDPR issued a notice intending to fine the
airline £183m (BBC News, 2020). But in 2020, the board reconsidered the complaints raised by
the airline’s representatives. This led to a revised fine of £30m which was arrived at as follows:
the regulatory arm failed to find the company to be wholly responsible and negligent; the
company did not intentionally cause the breach nor benefit from the act; and the company did not
have previous failures to comply or violations (if this is true remain a matter of consideration
because in 2015 the company had suffered a breach) (BBC News, 2020). In addition to this
£150m reduction, the agency also awarded some discount to the company. These include a £4m
reduction because of the Covid-19 challenges and a further £6m reduction because of mitigating
factors. With mitigating factors, it was found that the company cooperated fully with the
investigation agencies and informed customers on time as required by the law. These deductions
resulted in a revised fine of £20m. this figure could, however, increase as the insurance industry
await decisions from insurers regarding the insurability of the above fine, the outcomes of
BRITISH AIRWAYS DATA BREACH 4

damages, and a potential PCI-DSS fines for violating industry and payment standards (Guida,
2021).

Causes and Implications of the Issue

The breach that happened at BA was described as a malicious criminal attack (ICO,
2020). The incident lasted for 15 days and was related to booking transactions that were done
within this period. Although financial and personal information was breached, travel details and
passport information remain intact. Experts in the field of cybersecurity suggested that the cyber
criminals managed to commit this act that is almost similar to the digital skimming in which the
information was copied while being keyed in the system during the time of purchase. This
incident has serious implications for the company, customers, and other players in the industry.
First, the data breach can severely affect the company’s reputation and business situation.
Customers who trust the company in keeping sensitive information may consider moving to
other firms that take their data security obligations very seriously.

Financially, BA was fined £20m by the ICO, the most expensive fine ever issued (ICO,
2020). This is minus compensation to all eligible customers affected by the breach. This is
extremely expensive for the company and could hinder business operations. BA data breach was
the first high-profile data breach experienced by a large firm since the founding of the General
Data Protection Regulation (GDPR). For most companies, this means they will be looking at the
kind of fines to expect if they experience a similar event; it is a big test for the new laws and how
to enforce them. A case will be made for BA to demonstrate to other companies that they should
take the issue of cybersecurity seriously. The BA was found to comply with the GDPR
guidelines by informing their customers. This means that regulatory bodies must be fair and
reasonable in their dealings.

Although customers who suffered because of this breach did report fraudulent activities
on their bank and credit cards, the problem may not stop here. After this incidence, the phishing
scammers are likely to phone call, text, email, and post on social networking sites to try to access
additional information. The hackers may have already made lots of money selling credit card
information stolen from BA customers with this kind of information being listed for sale on dark
websites. Because of this, financial services companies, including BA, will be forced to make
substantial investments in their oversight, compliance, and controls. Lastly, this incident poses an
emotional challenge to the customers affected. The consequences of a crime, whether horrific or
minor, can last for a lifetime (Huma, 2015). While some people cope well with serious crimes,
others can suffer emotional damage from a minor incident. BA data breach may or have
exacerbated or caused stress and anxiety to its customers. The worry of losing hefty funds can be
damaging. People must wake up to the reality of mental health and awareness must be created
and increased as regards the long-term effects of physiological anguish and suffering.

Solutions
BRITISH AIRWAYS DATA BREACH 5

The fact that the breach occurred for 15 days just tells how much the company was
unprepared to safeguard their customer’s personal information. The instigation of the GDPR was
meant to bestow more powers to regulatory arms to enforce fines for violating data protection
matters. Given this, is it important to determine if BA acted within the framework of the GDPR
to comprehend what the company can expect in terms of punitive measures like fines. As per this
framework, firms must report data breaches within three days of discovery (ICO, 2020). The
management at BA reported the incident within 24 hours of becoming aware, shared the sort of
data that could be compromised and provided specific details of those affected. However, this
did not stop the attack from happening.

According to the report released by PGMBM firm, BA did not respond well to the
incident. The company promised to compensate all customers whose credit scores were damaged
and suffered direct financial losses (https://www.badatabreach.com/ ). However, the business
failed to take into consideration the future threats that their clients may be exposed to. The
company was also condemned for not taking inexpensive measures that could help lower the risk
of attackers accessing their network such as performing rigorous testing, safeguarding third-party
and employee accounts with multi-factor authentication, and restricting access to tools, apps, and
data to authorized persons (https://www.badatabreach.com/ ). However, since the attack, the
leading airline has beefed up its IT security.

Conclusion

Professionals, who serve in the risk management profession, work within an organization,
serve customers in the broking capacity, or speak to customers as their insurers must stay ahead
of the current events and their ultimate consequences. The 2018 data breach that happened in BA
is a landmark case study that emphasizes the importance of staying informed. The event saw
more than 380,000 transactions compromised within 15 days. The company’s poor security
arrangements cost them £20m in fines from the GDPR, excluding customer claims. The
information stolen included CVV numbers, names, addresses, debit and credit card numbers, and
email addresses. The customers were requested to monitor transactions and if possible cancel
their cards.

While BA offered compensation for those who suffered credit monitoring and direct
financial losses, it failed to consider how the customers can suffer in future. There was a range of
measures that the company could have considered preventing the risk of attacks on their
network. Some of the infosec practice that could have mitigated the damage or prevented the
attack includes security monitoring, multi-factor authentication for employee log-in, dark-web
intelligence feeds and scanning, role-based access controls, and penetration scanning and testing.
These tools and techniques are considered best practices within the cybersecurity community and
would have either allowed BA to detect the breach rather than being told by a third party or
prevent it from happening. BA should invest in IT security and train its staff on how to protect
customer information from being stolen.
BRITISH AIRWAYS DATA BREACH 6

References

ABOUT BA. (n.d.). British Airways - Information Page. https://www.britishairways.com/en-

mu/information/about-ba/
BBC News. (2020, October 16). British airways fined £20m over the data
breach. https://www.bbc.com/news/technology-54568784/
British Airways Airlines and Aviation. (n.d.).
LinkedIn. https://www.linkedin.com/company/british-airways/
Enoma, B. (2020). Data breach in the travel sector and strategies for risk mitigation. Journal of
Data Protection & Privacy, 3(4), 418-426.
Guida, S. (2021). British Airways will face record-breaking GDPR fine for suffering financial
data theft of hundreds of thousands of customers. European Journal of Privacy Law &
Technologies.
Huma, Z. E. (2015). Effects of crime news on the emotional response of the audience. J Mass
Communication Journalism, 5, 257.
ICO. (2020). PENAL1YNO11CE Section 155, Data Protection Act 2018.
https://ico.org.uk/media/action-weve-taken/mpns/2618421/ba-penalty-20201016.pdf
Klijnsma, Y. (2020, November 3). The British Airways breach: How Magecart claimed 380,000
victims. RiskIQ. https://www.riskiq.com/blog/external-threat-management/magecart-
british-airways-breach/
Mathew, A. (2021). Obfuscation Techniques for Magecart Detection and Prevention.
Nast, C. (2018, September 11). How hackers slipped by British airways' data defenses.
Wired. https://www.wired.com/story/british-airways-hack-details//
Whitaker, T. (2018). The ba data breach. Int'l J. Data Protection Officer, Privacy Officer &
Privacy Couns., 2, 15.