Maximise your Avios, air miles and hotel points

British Airways fined £20m for the 2018 data breach, was acting illegally

Links on Head for Points may support the site by paying a commission.  See here for all partner links.

The Information Commissioner’s Office has just published its final verdict on the 2018 data breach at British Airways.

The fine has been reduced to £20 million from the initial proposal of £183 million. The ICO makes it clear that this is partly due to the current financial difficulties at the airline – as well as BA’s co-operation and prompt reporting – and it is not a reassessment of the severity of the breach.

The ICO findings are damning. British Airways was found to have been acting illegally in its treatment of customer data.

British Airways fined £20m for 2017 data breach

An ICO investigation found the airline was processing a significant amount of personal data without adequate security measures in place. This failure broke data protection law and, subsequently, BA was the subject of a cyber-attack during 2018, which it did not detect for more than two months.

ICO investigators found BA ought to have identified weaknesses in its security and resolved them with security measures that were available at the time.

Addressing these security issues would have prevented the 2018 cyber-attack being carried out in this way, investigators concluded.”

How big was the BA data breach?

The ICO says:

The attacker is believed to have potentially accessed the personal data of approximately 429,612 customers and staff. This included names, addresses, payment card numbers and CVV numbers of 244,000 BA customers.

Other details thought to have been accessed include the combined card and CVV numbers of 77,000 customers and card numbers only for 108,000 customers.

Usernames and passwords of BA employee and administrator accounts as well as usernames and PINs of up to 612 BA Executive Club accounts were also potentially accessed.”

Could BA have prevented the attack?

The ICO says it could – and some of the measures were already available to it via its existing IT plaform. To quote:

There were numerous measures BA could have used to mitigate or prevent the risk of an attacker being able to access the BA network. These include:

  • limiting access to applications, data and tools to only that which are required to fulfil a user’s role
  • undertaking rigorous testing, in the form of simulating a cyber-attack, on the business’ systems;
  • protecting employee and third party accounts with multi-factor authentication.

None of these measures would have entailed excessive cost or technical barriers, with some available through the Microsoft Operating System used by BA.”

British Airways Executive Club data breach

BA didn’t even know it had been hacked ……

ICO investigators found that BA did not detect the attack on 22 June 2018 themselves but were alerted by a third party more than two months afterwards on 5 September. Once they became aware BA acted promptly and notified the ICO.

It is not clear whether or when BA would have identified the attack themselves. This was considered to be a severe failing because of the number of people affected and because any potential financial harm could have been more significant.”

It isn’t clear if IAG was aware of the contents of this report, including the finding that British Airways had been acting illegally, when Alex Cruz was removed from his role as CEO and Chairman of British Airways on Monday.

How to earn Avios from UK credit cards

How to earn Avios from UK credit cards (April 2024)

As a reminder, there are various ways of earning Avios points from UK credit cards.  Many cards also have generous sign-up bonuses!

In February 2022, Barclaycard launched two exciting new Barclaycard Avios Mastercard cards with a bonus of up to 25,000 Avios. You can apply here.

You qualify for the bonus on these cards even if you have a British Airways American Express card:

Barclaycard Avios Plus card

Barclaycard Avios Plus Mastercard

Get 25,000 Avios for signing up and an upgrade voucher at £10,000 Read our full review

Barclaycard Avios card

Barclaycard Avios Mastercard

5,000 Avios for signing up and an upgrade voucher at £20,000 Read our full review

There are two official British Airways American Express cards with attractive sign-up bonuses:

British Airways American Express Premium Plus

25,000 Avios and the famous annual 2-4-1 voucher Read our full review

British Airways American Express

5,000 Avios for signing up and an Economy 2-4-1 voucher for spending £15,000 Read our full review

You can also get generous sign-up bonuses by applying for American Express cards which earn Membership Rewards points. These points convert at 1:1 into Avios.

American Express Preferred Rewards Gold

Your best beginner’s card – 20,000 points, FREE for a year & four airport lounge passes Read our full review

The Platinum Card from American Express

40,000 bonus points and a huge range of valuable benefits – for a fee Read our full review

Run your own business?

We recommend Capital on Tap for limited companies. You earn 1 Avios per £1 which is impressive for a Visa card, along with a sign-up bonus worth 10,500 Avios.

SPECIAL OFFER: Until 12th May 2024, the Capital on Tap Business Rewards Visa card is offering a bonus of 30,000 points, convertible into 30,000 Avios. You must have a Limited Company to apply. Click here to learn more and click here to apply.

Capital on Tap Business Rewards Visa

Huge 30,000 points bonus until 12th May 2024 Read our full review

You should also consider the British Airways Accelerating Business credit card. This is open to sole traders as well as limited companies and has a 30,000 Avios sign-up bonus.

British Airways Accelerating Business American Express

30,000 Avios sign-up bonus – plus annual bonuses of up to 30,000 Avios Read our full review

There are also generous bonuses on the two American Express Business cards, with the points converting at 1:1 into Avios. These cards are open to sole traders as well as limited companies.

American Express Business Platinum

40,000 points sign-up bonus and an annual £200 Amex Travel credit Read our full review

American Express Business Gold

20,000 points sign-up bonus and FREE for a year Read our full review

Click here to read our detailed summary of all UK credit cards which earn Avios. This includes both personal and small business cards.

Category

British Airways and Avios

Comments (54)

This article is closed to new comments. Feel free to ask your question in the HfP forums.

  • Publius says:
    16 Oct16 October 22:59

    I’m totally disgusted with the ICO for reducing the fine due to covid.
    Does this mean the multitude of startups (who never declare a profit) cannot be fined?
    Despicable logic – hope someone raises a class action against the ICO now!

    • Lady London says:
      17 Oct17 October 00:02

      I understand it’s quite common for headline fines to be very substantially reduced after the headlines are long gone.

      However $20m given the level of negligence the worldwide customers affected etc, does feel like a slap with my furry teddy bear, rather than a fine that ought to have reflected the level of British Airways’s negligence.

      Especially as there were other indicators that British Airways’s IT was failing seriously. Such as the systems meltdown on a UK Public Holiday weekend that left people stuck at airports all over the world. Which was followed by a similar event, also due to whoever was running BA’s IT (I presume that’s *was* ) a few months later.

      How long is it taking BA to lose
      $20m these days.? Is it less than a day?

      And correspondingly, at the time of these breaches how long was it taking BA to make $20m? A day?

      I would far rather the regulator had come down to the usual amount and given BA 3 -5 years to pay, with interest.

      • JP-MCO says:
        17 Oct17 October 07:12

        Maybe it was £183m reduced to £20m if the CEO who had overseen it all was removed?

        • ChrisC says:
          17 Oct17 October 08:22

          I’ve read similar comments elsewhere.

          There is no way the ICO could or would have insisted on Cruz being sacked in some sort in deal to reduce the fine.

          The employment (or not) of individuals involved In causing the failure is a matter for the company not the regulator.

    • ChrisC says:
      17 Oct17 October 03:01

      The fine can either be a cash sum – the maximum is €20m – or based on turnover – maximum of 4% (no maximum cash sum hence the original large possible fine)

      So a company they made no profit could still be fined.

      You could if you felt so inclined take the ICO to the High Court for Judicial Review but you would have to have some evidence that their decision was somehow inherently wrong because they failed to follow the law and their published procedures and not just because you don’t like the decision.

    • Jake Mc says:
      17 Oct17 October 07:39

      The logic is not despicable. It’s helping to protect the livelihoods of those that had nothing to do with the hack.
      What is the point of slapping an enormous fine on BA when, in lieu of being able to generate any meaningful profit over the next 6 months or so, the only way they would balance the books is by sacking more staff and making more benefit cuts?

      It’s hardly fair those that had nothing to do with the hack should lose out.

      I don’t disagree that 20m is on the light side but straight up large fine feels like a blunt tool that will cause suffering to the wrong people.

      The ICO should probably look at legislation that would enable them in future to undertake a more targeted approach to the decision makers in an organisation (i.e. those that signed off on the deficiencies that enabled the breech)

      • Mr(s) Entitled says:
        17 Oct17 October 08:22

        Fine them £100mm, deferred for 2yrs, payable over 3yrs. Job done.

        • Jake Mc says:
          17 Oct17 October 09:00

          Agreed but I don’t know what remit the ICO have to do so. Furthermore BA could choose to take on that ‘loss’ on to the balance sheet now and still sack further staff / increase cuts.

          Essentially the ICO should look to increase personal accountability rather than leverage greater fines on companies. A CEO / COO / CTO who knows they are retiring shortly is unlikely to care too much about procedure if any comeuppance cannot be leveraged against them personally.

        • Lady London says:
          17 Oct17 October 14:14

          Exactly.

          • Lady London says:
            17 Oct17 October 19:02

            * that was for the suspended fine with time to pay.

            Not for individuals being made personally liable for consequences of things they are responsible for within their company professionally. There are very few exceptions to this not being possible and for good reason.

    • Rob says:
      17 Oct17 October 11:09

      £183m was a warning shot for anyone thinking of not revealing breaches immediately or not cooperating.

  • Chrisasaurus says:
    16 Oct16 October 23:52

    My understanding is that these reports are typically given to the entity under investigation ahead of publication for reasons such as giving them chance to highlight factual errors or omissions – so would be very likely the board saw this before AC’s departure. Doesn’t of course mean it influenced it, but likely it was known

  • Nori says:
    17 Oct17 October 06:42

    Do victims get to see any of that money?

  • Dirtyneedlebluesky says:
    17 Oct17 October 07:35

    Bit unfair of ICO to comment that some of the measures are available in the MS operating system.

    For enterprise grade security solutions this is far from the case. They make it sound you turn it on as a feature and is free.

    Yes MS offer some of these tools, as other software vendors do.

    • Dwb1873 says:
      17 Oct17 October 13:43

      Being able to apply Least privileges most definitely is though. That’s InfoSec 101.

      Hard to tell from an excerpt but it sounds like they had weaknesses in risk and good security control requirement assessment, putting to one side any actual technical gaps.

      The basics in other words.

    • Joseph Heenan says:
      17 Oct17 October 19:53

      The point the ICO where trying to make was that BA had already paid for the necessary software (in this case from MS) to enforce better security – they just hadn’t configured the software properly.

  • sayling says:
    17 Oct17 October 09:19

    So where will the 20 million go once paid?

  • David S says:
    17 Oct17 October 09:28

    Forget the CEO, what happened to the CIO who was actually accountable for this

    • Defcon5 says:
      19 Oct19 October 09:23

      There seem to be a few out there, if anyone has signed up and can advise the most legitimate that would be useful.
      I assume they are not disclosing to customers if their details were hacked?

  • James says:
    17 Oct17 October 10:03

    Looks like I’m eligible to jump on the claim bandwagon. Can anyone recommend a good group action site to register with please? I’m seeing some no-win, no-fee claims of 35%. Just wondering if there’s any better offers out there before I register.

    Cheers

  • Mark Tasker says:
    17 Oct17 October 10:30

    Can anyone give me just one good reason to fly with this shambles of an airline. It is a disgrace that it has the word “British” in its title

    • Jake Mc says:
      17 Oct17 October 11:22

      So many, depending on the customer, route, time of year, requirements etc:
      1. Price
      2. Lack of other direct alternatives
      3. Connectivity from regional UK airports to Heathrow
      4. Status (use and earning)
      5. Avios (use and earning)
      6. Accessibility of customer to Heathrow / Gatwick
      7. Flight timings
      8. Requirements of company travel policy
      9. Type of aircraft flown

      Etc…

      Whether we like it or not BA can be competitive or market leading in any one (or more) of those categories on any given flight.

      • Jake Mc says:
        17 Oct17 October 11:26

        + quality of product! (Although of course very much market dependent)!

      • Paul says:
        17 Oct17 October 15:50

        There speaks an employee or other vested interest.

        Price – Almost never ex the UK and rips off UK passengers especially regions compared with ex EU. A fare difference is one thing but thousands is quite another
        Lack of competition – This is not something to be proud of!
        Regional connectivity – That laughable. KLM LH QR and EK serve the regions better!
        Status – Its the only show in town again not something to be proud of
        Avios – Dito
        LHR and LGW – They have never shown the slightest commitment to LGW or indeed anywhere else in the UK.
        Flight timings – I have always been amused by this. The timings are driven by slots availability both at department and arrival. They are often less than ideal
        Type of aircraft – until recently the caped out 747 was still a main stay.

        Come on, they are only in business as they have fortress LHR and are overly protected via highly lucrative commercial agreements that allow legal collusion on pricing, schedules and frequent flyer programmes.
        You will never convince me that we wouldn’t have an AA credit card in the UK if it were not for their commercial agreement

        They are neither marked leading or competitive in the own right on any key measures and rely on their protected status to survive. It why they vehemently opposed the 3rd runway and Boris Island.

        If they faced proper competition it would be a very different story

        • Jake Mc says:
          17 Oct17 October 16:48

          Paul – I think you may have mis-understood my points. I am for the record not an employee nor have any interest in BA (bar some Avios).

          The question posed by Mark was to give a good reason why people would fly BA – not to compare BA to the competition. My response was not whether one should be ‘proud’ but why so many people choose to fly BA.

          It wasn’t supposed to be flagging how BA is brilliant all of the time but that it is better than the alternatives (thus market leading; nb that does not mean ‘good’). Clearly all of those factors above are enough of a pull for enough people that it is a ‘good’ enough reason to fly BA.

      • Lady London says:
        17 Oct17 October 18:53

        I would add safety to that list of advantages of British Airways.

        After a trying trip there’s still something about seeing the British Airways tailfin and getting on the aircraft to a British welcome and knowing I’m going to be flown home by a British Airways pilot.

This article is closed to new comments. Feel free to ask your question in the HfP forums.

New to Head for Points?

Welcome!  We’re the UK’s most-read source of business travel, Avios, frequent flyer and hotel loyalty news. Let us improve how you travel. Got any questions? Ask them in our forums.

Latest Forum Posts

Get 40,000 bonus points (worth 40,000 Avios) and £300 dining credit with The Platinum Card

Check reward flight availability instantly for free!

See a whole year of reward seat availability on one page at SeatSpy.com

Get £10 when you spend £150 on your free Currensea card

Booking a luxury hotel?

Our luxury hotel booking service offers you GUARANTEED extra benefits over booking direct. Works with Four Seasons, Mandarin Oriental, The Ritz Carlton, St Regis and more. We've booked £1.7 million of rooms to date. Click for details.

SME? SPECIAL OFFER TO 12TH MAY EARN POINTS WORTH 30,000 AVIOS WITH CAPITAL ON TAP

Get 20,000 bonus points, four airport lounge passes and your first year free with American Express Gold

The UK's biggest frequent flyer website uses cookies, which you can block via your browser settings. Continuing implies your consent to this policy. Our privacy policy is here.

Got it!