Maximise your Avios, air miles and hotel points

British Airways fined £20m for the 2018 data breach, was acting illegally

Links on Head for Points may pay us an affiliate commission. A list of partners is here.

The Information Commissioner’s Office has just published its final verdict on the 2018 data breach at British Airways.

The fine has been reduced to £20 million from the initial proposal of £183 million. The ICO makes it clear that this is partly due to the current financial difficulties at the airline – as well as BA’s co-operation and prompt reporting – and it is not a reassessment of the severity of the breach.

The ICO findings are damning. British Airways was found to have been acting illegally in its treatment of customer data.

British Airways fined £20m for 2017 data breach

An ICO investigation found the airline was processing a significant amount of personal data without adequate security measures in place. This failure broke data protection law and, subsequently, BA was the subject of a cyber-attack during 2018, which it did not detect for more than two months.

ICO investigators found BA ought to have identified weaknesses in its security and resolved them with security measures that were available at the time.

Addressing these security issues would have prevented the 2018 cyber-attack being carried out in this way, investigators concluded.”

How big was the BA data breach?

The ICO says:

The attacker is believed to have potentially accessed the personal data of approximately 429,612 customers and staff. This included names, addresses, payment card numbers and CVV numbers of 244,000 BA customers.

Other details thought to have been accessed include the combined card and CVV numbers of 77,000 customers and card numbers only for 108,000 customers.

Usernames and passwords of BA employee and administrator accounts as well as usernames and PINs of up to 612 BA Executive Club accounts were also potentially accessed.”

Could BA have prevented the attack?

The ICO says it could – and some of the measures were already available to it via its existing IT plaform. To quote:

There were numerous measures BA could have used to mitigate or prevent the risk of an attacker being able to access the BA network. These include:

  • limiting access to applications, data and tools to only that which are required to fulfil a user’s role
  • undertaking rigorous testing, in the form of simulating a cyber-attack, on the business’ systems;
  • protecting employee and third party accounts with multi-factor authentication.

None of these measures would have entailed excessive cost or technical barriers, with some available through the Microsoft Operating System used by BA.”

British Airways Executive Club data breach

BA didn’t even know it had been hacked ……

ICO investigators found that BA did not detect the attack on 22 June 2018 themselves but were alerted by a third party more than two months afterwards on 5 September. Once they became aware BA acted promptly and notified the ICO.

It is not clear whether or when BA would have identified the attack themselves. This was considered to be a severe failing because of the number of people affected and because any potential financial harm could have been more significant.”

You can read the full ICO report here. The summary findings are here.

It isn’t clear if IAG was aware of the contents of this report, including the finding that British Airways had been acting illegally, when Alex Cruz was removed from his role as CEO and Chairman of British Airways on Monday.


how to earn avios from credit cards

How to earn Avios from UK credit cards (May 2021)

As a reminder, there are various ways of earning Avios from UK credit cards.  Many cards also have generous sign-up bonuses.

There are two official British Airways American Express cards:

British Airways American Express card

British Airways American Express

5,000 Avios for signing up, no annual fee and a companion voucher for spending £20,000 Read our full review

BA Premium Plus American Express card BAPP

British Airways American Express Premium Plus

25,000 Avios and the UK’s most valuable credit card perk – the 2-4-1 companion voucher Read our full review

You can also get generous sign-up bonuses by applying for American Express cards which earn Membership Rewards points, such as:

Nectar American Express

American Express Preferred Rewards Gold

Your best beginner’s card – 20,000 points, FREE for a year & two airport lounge passes Read our full review

American Express Platinum card Amex

The Platinum Card from American Express

30,000 points and an unbeatable set of travel benefits – for a fee Read our full review

Click here to read our detailed summary of all UK credit cards which earn Avios. This includes both personal and small business cards.

Do you have a small business? Until 20th May 2021, you can receive a special sign-up bonus worth 29,900 Avios with the Capital On Tap Business Rewards Visa credit card. This offer is exclusive to Head for Points readers. Click here to learn more.

Capital On Tap Business Rewards Visa

The most generous Avios Visa or Mastercard for a limited company Read our full review

(Want to earn more Avios?  Click here to visit our home page for our latest articles on earning and spending your Avios points and click here to see how to earn more Avios this month from offers and promotions.)

Comments (54)

  • Amber Lynn says:

    Is it me or does the picture of Alex Cruz bear a striking resemblance to Ian Flemings creation Sir Hugo Drax played by the late Michael Lonsdale in Moonraker.

  • Shawn says:

    From what I can see, there will be no compensation for the victims, is this correct?

    • Rob says:

      Depends if the class action lawsuits currently underway succeed.

      • Shawn says:

        Hello,
        Is the lawsuit now looking to take from the £20 million or do they sue the airline and that will add to the £20 million? Thanks

The UK's biggest frequent flyer website uses cookies, which you can block via your browser settings. Continuing implies your consent to this policy. Our privacy policy is here.