What is the British Airways data breach and how does it affect passengers?

Sign up to Simon Calder’s free travel email for expert advice and money-saving discounts

Get Simon Calder’s Travel email

Please enter a valid email address

Please enter a valid email address

SIGN UP

I would like to be emailed about offers, events and updates from The Independent. Read our privacy notice

British Airways faces a fine of £183m for a data breach in which details of passengers’ credit cards were stolen.

The Information Commissioner’s Office (ICO) says it intends to issue the airline with a penalty notice under the Data Protection Act. The sum represents 1.5 per cent of BA’s global turnover in 2017.

It is the largest fine so far under new data regulations. The airline and its parent company, IAG, says it will appeal.

Here are the key questions answered.

In the summer of 2018, cyber-criminals stole payment card details from an estimated 500,000 passengers who bought flights on the ba.com website or through the British Airways app, or made transactions involving Avios.

The personal data comprised the passenger’s name, travel plans, billing address, email address and payment card details, and the three-digit security code (“card verification value,” or CVV) from the back of the card.

At the time, British Airways told those whose data was at risk: “We are very sorry that this criminal activity has occurred. We’ll reimburse our customers who have suffered financial losses as a direct result of the theft of their payment card details.

“As a precaution we recommend you contact your bank or card provider and follow their advice.”

The airline also offered free credit and identity monitoring services.

BA now says no evidence has emerged of fraudulent activity relating to the hack.

The ICO says the hack in part involved customers being diverted to a fraudulent site.

Like banks, airlines tend to have “legacy” reservation systems that have their origins deep in the 20th century. While they have been continually updated, the structure is not as robust as newer IT systems.

Many other airlines have been affected by data breaches, including the giant US airline, Delta, and Cathay Pacific of Hong Kong. In the latter case, the personal data of 9.4m customers were accessed.

The job prospects for IT security specialists have never looked better.

Under the General Data Protection Regulation (GDPR), an organisation that does not protect customers’ data can be fined up to 4 per cent of annual global revenue. In 2017 that amounted to £12.2bn, making the maximum possible fine £488m.

The proposed penalty of £183.4m is significantly less, at 1.5 per cent of turnover, but with apparently no material financial harm having been caused, the size of the fine has surprised many observers – and appalled British Airways.

Alex Cruz, the airline boss, says he was “surprised and disappointed” by the ICO’s finding. After the breach, he says, BA responded quickly.

The Independent understands that the airline was expecting a fine in the region of £20m to £50m, representing to 0.16 to 0.4 per cent of turnover.

Elizabeth Denham is making an example of British Airways, saying: “The law is clear – when you are entrusted with personal data you must look after it.

“Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

The ICO says British Airways has cooperated with its investigation and has made improvements to its security arrangements.

BA feels it has been scapegoated as a warning to other businesses, and that the fine is out of all proportion to the harm caused.

No. The penalty represents £366 for each of the customers that the ICO says was affected, but the cash goes straight to HM Treasury and into general government funds.

The proposed penalty is a significant cost to British Airways, which works out at £4 for each passenger BA will carry in 2019. But at a time of intense competition, any airline will find it difficult to increase fares without losing business to rivals.

After the multiple airline hacks, carriers are redoubling their efforts to protect data – in the possibly vain hope that there will be no future large-scale breaches.

The BA hacks affected only people who booked direct with the airline, not through travel agents.

Booking through an intermediary may add a layer of security, though it increases the number of organisations with access to your data.