Skip to main content


BA hit by massive data breach

British Airways (‘BA’) has reported that between 10.58pm on 21 August and 9.45pm on 5 September 2018, it was the victim of a ‘sophisticated, malicious’ cyber attack resulting in the theft of personal and financial data belonging to up to 380,000 customers who booked flights via the BA app and website during that time period.

BA has stated that no travel details were obtained, meaning that the thieves will be unable to establish when people might be away from home.  However, the data stolen included all the debit or credit card information needed to potentially make fraudulent online purchases or seek to clone the cards.

American Express has emailed users of its BA-branded cards, which allow people to build up Avios (formerly airmiles) reward points, reassuring them that it is monitoring their accounts for any suspicious activity, and that its customers are never liable for fraudulent purchases.  Other major card providers are likely to have done the same.

BA should have directly notified all customers who were personally affected by the breach, and has stated that it will ensure that any customers who suffer direct financial losses will be compensated.  Those who receive such notices may wish to contact their card provider to seek to cancel the card.

BA has reported the matter to the Information Commissioner’s Office (‘ICO’) (there is an obligation to self-report any data breach likely to pose a risk to people’s rights and freedoms), as well as the police.  BA is just the latest in a long line of major companies and organisations to be the subject of mass data breaches (including Air Canada a week earlier).  If the ICO finds that BA did not meet its obligations to hold third party data securely, it could face a fine.  Since the implementation of the General Data Protection Regulation (‘GDPR’) in May 2018, the maximum fine is now €20 million or 4% of global turnover (whichever is higher).

In addition to any fine, BA may be exposed to civil claims from customers (both for financial loss suffered and distress) if they can establish BA failed to take sufficient steps to safeguard their data.


Click here to find out how Brett Wilson LLP’s privacy lawyers can assist you if you have been the victim of a data leak


Legal Disclaimer

Articles are intended as an introduction to the topic and do not constitute legal advice.