British Airways reveals massive data breach, could face £500m fine under GDPR

Sean Reid
September 10, 2018

The airline said it was investigating the breach, which took place from 11pm on August 21 until 9.45pm on Wednesday.

BA chief executive Alex Cruz said Friday that enough data was stolen to allow criminals to use credit card information for illicit purposes, and that police are investigating.

BA said the breach had been "resolved" and the website was "working normally".

The law of the land: The EU's newly minted General Data Protection Regulation requires that companies take precautions to protect customer data and notify authorities of any breaches within 72 hours. We will continue to keep our customers updated with the very latest information.


British Airways said that affected customers should contact their banks.

The breach had gone unnoticed for over two weeks - from 11pm on August 21 to September 5.

Shares in BA's parent, International Airlines Group, fell 3 per cent in early deals on Friday due to the attack. The rule says if such breach amounts to the violation of customers' freedoms and rights, the affected company must never delay in informing its customers.

The airline says personal and financial details of customers making bookings over the period were compromised. On the other side, cybercriminals are very proactive, and as soon as a new vulnerability is discovered in a popular CMS they start exploiting it in the wild.


"They appear to be saying on Twitter that everyone who made a booking online or on the app during the timeframe is affected and they would be emailing everyone", she said. We recommend that you contact your bank or credit card provider and follow their recommended advice.

Luke Brown, VP EMEA at WinMagic, said data loss, data theft and data breach are all phrases which are now part and parcel of the daily news agenda.

Senior Security Lead at cybersecurity firm X Infotech Jurijs Rapoports told IE that this is not the first time that a company has suffered such a large scale data breach and that several airlines have already been hacked before.

Britain's National Crime Agency said it was assessing the matter, while the UK's data protection watchdog, the Information Commissioner's Office (ICO), will make its own enquiries.


The incident comes after an IT meltdown caused huge disruption for BA passengers at the start of the May half-term holiday. The stolen data did not include travel or passport information.

Other reports by

Discuss This Article

FOLLOW OUR NEWSPAPER