British Airways data breach

Content sourced from Wikipedia, licensed under CC BY-SA 3.0.

In 2018, British Airways suffered a major data breach that exposed personal and payment information of hundreds of thousands of customers who booked on ba.com or the BA mobile app. In total, about 429,612 people were affected, and around 244,000 of them had their names, addresses, card numbers, expiration dates and CVVs exposed.

How it happened
- The attack began in June 2018 when the hackers used stolen login details from Swissport, a third‑party contractor, to access BA’s systems. One of the compromised accounts didn’t have multi-factor authentication.
- The attackers moved through a Citrix-based remote access system, found privileged credentials, and gained access to sensitive data. They even discovered that BA had been logging some payment card data in plaintext since 2015.
- The intruders also copied card data from text files and injected 22 lines of JavaScript on BA’s site to funnel payment information to a site they controlled (called “BAways”) between August 14 and August 25, 2018.

Detection and response
- On September 5, 2018, a third party reported that data from BA’s site was being sent to a different domain. BA removed the malicious code within 90 minutes and blocked the attacker’s domain within 20 minutes.
- BA notified the UK Information Commissioner’s Office (ICO) and affected customers on September 6, 2018. The company said the breach affected about 500,000 customers in total, with around 380,000 bookings involving card data and about 244,000 customers having full card details (including CVVs) exposed. About 77,000 people had their name, address and email plus payment data exposed, and roughly 108,000 had personal details without card data.

What was found
- The breach involved web-skimming by a group linked to Magecart, a network known for injecting malicious scripts into online checkout pages.
- A key issue was that British Airways had been logging payment card details in plaintext in some logs for several years. The retention period was short (about 95 days), which limited exposure, but the plaintext data meant anyone who could read the logs could access full card details.

Aftermath and penalties
- In 2019, the ICO announced it intended to fine BA about £183 million for poor security. After considering mitigating factors, the final fine was reduced to £20 million in October 2020.
- The breach prompted a high-profile UK group action on behalf of affected customers, which was settled out of court in 2021.
- The incident came amid broader GDPR-related scrutiny of how airlines handle personal data, especially since the GDPR had just come into force in 2018. BA is the UK’s flag carrier and part of the International Airlines Group (IAG).

Context
- The breach followed other high-profile BA disruptions and highlighted the risks airlines face in handling large amounts of personal and payment data across multiple systems and partners.