British Airways data breach

, the head office building of British AirwaysBritish Airways (BA) is the flag carrier of the United Kingdom. It is headquartered in London, England at Waterside, near its main hub at Heathrow Airport. At the time of the 2018 data breach, British Airways' reputation had been affected by several high-profile operational disruptions, including a major IT systems outage in May 2017 that led to hundreds of flight cancellations from Heathrow and Gatwick and stranded tens of thousands of passengers worldwide. The data breach also occurred soon after the General Data Protection Regulation (GDPR) came into force across the European Union on 25 May 2018. GDPR introduced stricter obligations on organisations that act as controllers or processors of personal data and allowed regulators to impose administrative fines of up to 4 percent of annual worldwide turnover or €20 million, whichever is higher. ==Timeline==

On 22 June 2018, an attacker gained access to the British Airways network by means of compromised login detailsa stolen username and passwordfrom an employee of Swissport, a third-party cargo handler. The compromised account did not have multi-factor authentication (MFA) enabled, a security measure that requires a second step in addition to a password, such as a code sent to a phone. British Airways later found that the attacker had compromised five such Swissport accounts. The accounts allowed the attacker to access only a limited set of applications and data within a virtual environment provided by the Citrix platform, which British Airways used to let staff and partners run internal applications over the internet. However, the attacker was able to break out of that environment. Having done so, they found a file containing the username and password of a highly privileged user saved to a file that could be accessed by any user of the domain. Discovery On 5 September 2018, a third party informed British Airways that data from its website was being sent to a third-party site, indicating that the site had been compromised. Within 90 minutes, British Airways removed the malicious code. On 6 September, British Airways informed the ICO and 496,636 affected customers. The statement said that the breach had been resolved, the website was operating functionally, and that British Airways had notified the police and relevant authorities and was contacting affected customers. The attackers obtained names, street addresses, email addresses, credit card numbers, expiry dates and card security codes – enough to allow malicious actors to steal from accounts. British Airways urged customers to contact their banks or credit card issuer and to follow their advice. NatWest said that it received more calls than usual because of the breach. American Express said that customers would not need to take any action and that they would alert customers with unusual activity on their cards. == Perpetrators ==

Cybersecurity firm RiskIQ, as reported by InfoQ, attributed the British Airways compromise to Magecart, a loose collective of criminal groups known for injecting web-skimming JavaScript into online payment pages. Likewise, Wired described the attackers as a hacking group called Magecart, which added 22 lines of code to British Airways' checkout page to divert payment details to the domain. == Impact ==

The attacker was in a position to access the personal data of 429,612 individuals, including the name, address, card number and CVV number of 244,000 BA customers; the CVV and card number only of 77,000 customers; and the card number only of 108,000 customers. ==Legal consequences==

In 2019, the UK Information Commissioner's Office (ICO) announced it intended to issue a fine for 1.5% of the airline's 2017 turnover, amounting to £183.39 million, for what it described as "poor security arrangements" that had allowed the attacker to access customer data. Under that framework, the ICO set a starting figure of £30 million, then reduced it by £6 million to reflect mitigating steps taken by British Airways and by a further £4 million under its policy on financial hardship during the COVID-19 pandemic, resulting in the final £20 million fine issued on 16 October 2020."People's personal data is just that – personal. When an organization fails to protect it from loss, damage or theft it is more than an inconvenience. That's why the law is clear – when you are entrusted with personal data you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights".In 2021, the law firm Pogust Goodhead announced that they were representing a group of British Airways customers who had been affected by the breach in "the largest group-action personal-data claim in UK history". The case was settled out of court. ==References==