Maximise your Avios, air miles and hotel points

British Airways fined £20m for the 2018 data breach, was acting illegally

Links on Head for Points may pay us an affiliate commission. A list of partners is here.

The Information Commissioner’s Office has just published its final verdict on the 2018 data breach at British Airways.

The fine has been reduced to £20 million from the initial proposal of £183 million. The ICO makes it clear that this is partly due to the current financial difficulties at the airline – as well as BA’s co-operation and prompt reporting – and it is not a reassessment of the severity of the breach.

The ICO findings are damning. British Airways was found to have been acting illegally in its treatment of customer data.

British Airways fined £20m for 2017 data breach

An ICO investigation found the airline was processing a significant amount of personal data without adequate security measures in place. This failure broke data protection law and, subsequently, BA was the subject of a cyber-attack during 2018, which it did not detect for more than two months.

ICO investigators found BA ought to have identified weaknesses in its security and resolved them with security measures that were available at the time.

Addressing these security issues would have prevented the 2018 cyber-attack being carried out in this way, investigators concluded.”

How big was the BA data breach?

The ICO says:

The attacker is believed to have potentially accessed the personal data of approximately 429,612 customers and staff. This included names, addresses, payment card numbers and CVV numbers of 244,000 BA customers.

Other details thought to have been accessed include the combined card and CVV numbers of 77,000 customers and card numbers only for 108,000 customers.

Usernames and passwords of BA employee and administrator accounts as well as usernames and PINs of up to 612 BA Executive Club accounts were also potentially accessed.”

Could BA have prevented the attack?

The ICO says it could – and some of the measures were already available to it via its existing IT plaform. To quote:

There were numerous measures BA could have used to mitigate or prevent the risk of an attacker being able to access the BA network. These include:

  • limiting access to applications, data and tools to only that which are required to fulfil a user’s role
  • undertaking rigorous testing, in the form of simulating a cyber-attack, on the business’ systems;
  • protecting employee and third party accounts with multi-factor authentication.

None of these measures would have entailed excessive cost or technical barriers, with some available through the Microsoft Operating System used by BA.”

British Airways Executive Club data breach

BA didn’t even know it had been hacked ……

ICO investigators found that BA did not detect the attack on 22 June 2018 themselves but were alerted by a third party more than two months afterwards on 5 September. Once they became aware BA acted promptly and notified the ICO.

It is not clear whether or when BA would have identified the attack themselves. This was considered to be a severe failing because of the number of people affected and because any potential financial harm could have been more significant.”

You can read the full ICO report here. The summary findings are here.

It isn’t clear if IAG was aware of the contents of this report, including the finding that British Airways had been acting illegally, when Alex Cruz was removed from his role as CEO and Chairman of British Airways on Monday.


HFP-Barclaycard-Avios-Card

How to earn Avios from UK credit cards (February 2023)

As a reminder, there are various ways of earning Avios points from UK credit cards.  Many cards also have generous sign-up bonuses!

In February 2022, Barclaycard launched two exciting new Barclaycard Avios Mastercard cards with a bonus of up to 25,000 Avios. You can apply here.

You qualify for the bonus on these cards even if you have a British Airways American Express card:

Barclaycard Avios Plus card

Barclaycard Avios Plus Mastercard

25,000 Avios for signing up and an upgrade voucher for spending £10,000 Read our full review

Barclaycard Avios card

Barclaycard Avios Mastercard

5,000 Avios for signing up and an upgrade voucher for spending £20,000 Read our full review

There are two official British Airways American Express cards with attractive sign-up bonuses:

SPECIAL OFFER: Until 21st February 2023, the sign-up bonus on the British Airways Premium Plus American Express card is increased to 35,000 Avios from 25,000 Avios. You can apply here.

British Airways American Express Premium Plus

35,000 Avios (ONLY to 21st February) and the famous annual 2-4-1 voucher Read our full review

British Airways American Express

5,000 Avios for signing up and an Economy 2-4-1 voucher for spending £12,000 Read our full review

You can also get generous sign-up bonuses by applying for American Express cards which earn Membership Rewards points.

American Express Preferred Rewards Gold

Your best beginner’s card – 20,000 points, FREE for a year & four airport lounge passes Read our full review

The Platinum Card from American Express

30,000 points and unbeatable travel benefits – for a fee Read our full review

Run your own business?

We recommend Capital On Tap for limited companies. You earn 1 Avios per £1 which is impressive for a Visa card, along with a sign-up bonus worth 10,500 Avios.

Capital On Tap Business Rewards Visa

Get a 10,000 points bonus plus an extra 500 points for our readers Read our full review

You should also consider the British Airways Accelerating Business credit card. This is open to sole traders as well as limited companies and has a 30,000 Avios sign-up bonus.

British Airways Accelerating Business American Express

30,000 Avios sign-up bonus – plus annual bonuses of up to 30,000 Avios Read our full review

There are also generous bonuses on the two American Express Business cards, with the points converting at 1:1 into Avios. These cards are open to sole traders as well as limited companies.

American Express Business Platinum

40,000 points sign-up bonus and a £200 Amex Travel credit every year Read our full review

American Express Business Gold

20,000 points sign-up bonus and free for a year Read our full review

Click here to read our detailed summary of all UK credit cards which earn Avios. This includes both personal and small business cards.

Comments (54)

This article is closed to new comments. Feel free to ask your question in the HfP forums.

  • Ruth says:

    Using ethical hacking/cyber testing, system safeguards and audits for users, and multi factor authentication are hardly cutting edge business practices – crazy that BA wasn’t doing this!

    • Oh! Matron! says:

      let’s not forget (and not limited to)

      Penetration testing
      Role based access control
      Hiring Managers, Directors and above that:
      a) understand this and
      b) can make compelling business cases to those above them why the above is necessary

      I’m sure Cruz will do well in Govt. Dido Harding seems not have let the massive breech that happened on her watch at TalkTalk get in the way

    • Dwb1873 says:

      What surprises me is I’d have expected them to be PCI compliant (taking card data) and much of this is a core requirement – mandatory, so can’t just be risk accepted by a lazy Board.

  • Michael C says:

    I’ve signed up for the class action suit. I had my card used for a bunch of shoe purchases after the breach was discovered. Seems like an open and shut case. They didn’t protect my sensitive data.

  • chabuddy geezy says:

    I think in any other company the CEO and CTO would probably have to resign in a situation like this.

    • Rhys says:

      Could be another reason why Cruz was booted.

      • ChrisC says:

        That should have happened when it was first announced and before his “big nasty boys did this so don’t blame us” complaint.

        BA must be relieved that it had taken the ICO so long to complete it’s investigation. ICO probbaly wishing it had been quicker and decided this in January.

        Next up the Marriott breach and their potential approx £100m fine.

      • Mark Homer says:

        Does anyone really believe the ICO are able to accurately assess BA’s failings when they are probably more inept?

        Let’s face it, most big companies have been the subject of data breeches, the BA case just got publicised widely.

  • Sk123 says:

    I can’t remember if I got an email about the breach. I think I did. How do I doublecheck?

  • BP says:

    Badatabreach.com was the one I used.

  • Jamie says:

    Has BA run out of wallpaper to auction?

  • Jonathan says:

    I wonder if outsourcing the IT function a few years back to save money was really cheaper in end?

    • Rhys says:

      Probably not!

    • Dwb1873 says:

      This isn’t IT – it’s is risk management. IT might be the control applied to address the risk but sounds here like the risk just wasn’t properly handled.

      So much of good security gets pigeon holed as ‘IT’ but security is security. It just happens IT solutions are often good controls to achieve the desired mitigation.

      Put it another way – if your house gets broken into because you left the window open, would you blame IT or poor risk management?

      I wish more Boards would see it that way rather than just think it’s an ‘IT problem’, because they happen to use a lot of IT systems.

  • Erico1875 says:

    With people working from home using their own broadband connections, is this easier to hack into systems?

    • Alex M says:

      Asking for a friend? 😉

    • Chrisasaurus says:

      No

    • Will says:

      Potentially yes, ok a technical level more data will be open to access across the internet by more users whilst on a basic level the integrity of a system is only as secure as a users terminal so a hacked bedroom office PC is now a possible breach. Possibly easier to gain access to than a secure office.

      It’s very unlikely that all companies have rolled out remote working securely.

This article is closed to new comments. Feel free to ask your question in the HfP forums.

The UK's biggest frequent flyer website uses cookies, which you can block via your browser settings. Continuing implies your consent to this policy. Our privacy policy is here.