Interesting Sunday Times piece on what caused BA’s data breach – and possible cash compensation

Links on Head for Points pay us an affiliate commission. A list of our partners is here.

I have tried to avoid running speculative articles about the British Airways data breach, since few of us can speak with real expert knowledge and even fewer know how the company really operates.

The Sunday Times, however, had a very interesting piece this week which I thought was worth quoting.  They spoke with a consultant called Ben Oguntala who actually worked on fraud prevention at BA’s Waterside head office and who quit after his guidance was ignored.

What caused the British Airways data breach?

To quote:

“Oguntala, 44, founder of the card security company Payments & Co, said he was hired to help improve card payment security. But he discovered the airline had failed the international standard for card payments, called the payment card industry (PCI) data security standard, last year. The failure was not reported in the airline’s annual report.

One internal document presented at a BA meeting in April this year states: “British Airways holds a lot of sensitive payment card data. BA are subjected to the international security standard — PCI data security standard.

“By achieving compliance BA are proving to themselves, their customers and their supervisory bodies that BA are suitably protecting payment card data from malicious attack . . . In December 2017, BA failed to achieve PCI compliance.”

The document warned that an outdated system, ArcSight, was being used to store security data relating to card transactions. It is described in the document as “redundant”, “severely undermined” and “prone to failure”. The document is marked IAG GBS, which is the global business services division of BA’s parent company IAG.

Oguntala said he was shocked at the lax security surrounding credit and debit card payments at BA. “The security was woeful,” he said. “There was card data everywhere and there were no proper controls on where it was going and who was getting access.”

Oguntala, who worked for a team that reported to BA’s information security and compliance manager, considered the entire payment system needed to be radically overhauled — with a new security protocol known as tokenisation. He said he left after his advice was rejected.”

As I said above, this is a quote from an article in The Sunday Times and I have not done any additional verification, but it does have a ring of truth to it.

The full article is here but behind a paywall.

The Times suggests £1,250 per head compensation for the BA data breach

Will there be any cash compensation for the data breach?

Without wanting to dampen your hopes, I have very little faith that the £475 million legal suit against British Airways, highlighted in The Times yesterday, will go anywhere.

The (ironically named, for those of us in the loyalty sector) firm of SPG Law is apparently planning a class action lawsuit.  SPG Law is part of a large US law group and so has experience in the class action field, although they are rarely seen in the UK.

Apparently I would be due (£475,000,000 divided by 380,000 people) £1,250 for the “inconvenience, distress and misuse” of my private information. 

More accurately – if we look at the figures for the recent US class action lawsuit brought against British Airways for comparison, where the lawyers took 28% of the settlement as their fee – SPG Law would receive £120 million and I would be due £900.

In reality, we don’t know how the courts will interpret the new GDPR rules on fines for data leakage.  British Airways acted promptly and has not sought to hide anything, it seems, so it would expect a substantial discount for good behaviour.

The original story in The Times is here but, again, is behind a paywall.

(Want to earn more Avios?  Click here to visit our home page for the latest articles on earning and spending your Avios points and click here to see how to earn more Avios from current offers and promotions.)

Etihad's Manchester lounge in T1 becomes a premium independent '1903' lounge
Bits: Tesco and Peninsula Amex cashback deals, BA's Venice lounge, LivingSocial competition
Click here to join the 13,000 people on our email list and receive the latest Avios, miles and points news by 6am.

Amazon ad
About Head for Points

We help business and leisure travellers maximise their Avios, frequent flyer miles and hotel loyalty points. Visit every day for three new articles or sign up for our FREE emails via this page or the box to your right.


  1. Discount for ‘good behaviour’ is a bit of a joke. No wonder companies don’t invest in proper security and in this case one assumes, proper systems if the fine gets discounted because they tell the world quickly.

    A penalty should be based on the severity and impact of the issue and not be discounted because of a speedy report as that is what is required anyway.

    As for TV Licensing they would be better to add a few pence to income tax and scrap it and Capita. Save us all a lot in the end.

  2. You can access up to 2 articles per month for free if you register on the Times website. No card needed!

  3. I’ve had a fraudulent charge on my BA Amex flagged today. Obviously not conclusive that it’s due to this specific breach, but someone has tried to have a big clothes shopping spree at my expense!

    Thankfully Amex were great, stopped the charge and a new card is being shipped out, all processed in minutes

  4. Slightly O/T for this article but all related as I booked a flight during this period on my BA AMEX Premium card. I have earned my 2-4-1 voucher and want to cancel the card for churn purposes. I know that AMEX say that the voucher will be lost upon cancellation but common consensus is that this will not be the case. It that absolutely guaranteed? Has anyone ever lost a 2-4-1 voucher through anything other than expiration? Also, can I stack a Lloyds upgrade voucher with a 2-4-1 voucher on redemption?

    • There are never guarantees but I don’t think I’ve heard of anyone losing a 241 over it. And no, you can’t stack.

    • There seems to be a lot of anecdotal evidence that you DON’T lose the 2 4 1. You won’t be able to combine it with the Lloyds voucher though as one is booked via BA and one via, if that’s what you mean. However, if there’s availability on the flight you can get 2 seats with the 2 4 1 and a third with the Lloyds voucher if you make separate bookings.

  5. BBC site is suggesting they’ve found the (22 lines!) code that siphoned off the data.

    Looks like excessive use of 3rd part libraries making code auditing impossible – and eventually someone identified a means of getting something nefarious in…

  6. On the compensation/GDPR point, don’t anyone get too excited. There are two ways BA could lose money under the GDPR:
    1. If it is fined by the ICO for breaching the law, it could be fined up to 4% of annual worldwide turnover (probably that of IAG, rather than solely BA) or up to 20m EUR, whichever is higher. HOWEVER, this would be paid into the Treasury’s Consolidated Fund – the ICO does not have the power or discretion distribute its fines by way of compensation. I wouldn’t expect BA to get a discount merely for doing what the law says it should, i.e. tell the regulator and impacted individuals within 72 hours – particularly if the ICO found that the breach occurred as a result of negligence.
    2. If individuals bring claims, or a class action is launched, for breach of the GDPR – in this case, a court would have to award damages to the claimants, or it is possible that an action could be settled out of court. Historically, compensation for breaches of data protection law has not been high, and I would be very surprised if it got anywhere near the £1k mark, unless a claimant could show genuine loss or distress. There is no percentage that the courts would base a fine on.

  7. Would a customer also have a potential claim against any third party whose affiliate link was used? We expect Uber to be liable for actions of drivers so why shouldn’t a website carrying affiliate links be liable?

    So I think be careful what you wish for in terms of a compensation culture.

  8. As someone who used to work in the BA IT department (until I was made redundant 4ish years ago) – PCI used to be taken incredibly seriously. Literally years were spent on ensuring compliance. We went to great lengths – far greater lengths than all the companies I’ve worked at since (including other airlines). PCI compliance was a red line when looking at IT and business requirements (as was data protection law). However the IT department was one of the key voices reminding the business and making sure compliance was considered. Most of the people I worked with (including most of the payment specialists) were made redundant – and the poor buggers that remain are spread very thin.
    It makes me sad.

  9. BA sign off their year end accounts quite quickly however problems with card fraud will turn up within a week. By the time the audit has been signed then it would be fairly easy to evaluate the cost of any problem and include it in the accounts. The accounts are now free from error.

  10. Myself and my wife booked flights during those ‘dates’ via our BAEC account. We’re BOTH now getting spam calls from an 0113 number……

    • Does it end in 8891 or 0515 by any chance? Keep getting called by those as well and it only started a few weeks ago!! This might be why…

    • I also booked a flight within this period and on Thursday 13th, I got a spam call from a 0113 number asking if I have been involved in any accident or issue. I work in IT and did a project that involved payment cards and had to ensure PCI compliance. Yes, you have to tokenise the card number and never store the cvv number so was shocked that BA told me my CVV was compromised.

      • Actually, now you mention it, my wife got one of those calls. It was on her work mobile but I answered it because it was charging in our home office. Her BA account is also compromised.

  11. and the GDPR 4% of turnover fine is a max. and imposed for repeatedly ignoring and finding out to be non-compliant – if they have jumped through the right hoops (paid off the right people) the fine will be much less

  12. About the calls from 0113… , mine was asking me about my recent accident. 🙁

    My question – ‘which one?’ – upset the script and ensured silence while I blocked it as spam.

    I don’t think it was connected with the BA breach.

Please click here to read our data protection policy before submitting your comment.