UK privacy watchdog threatens British Airways with 747-sized fine for massive personal data blurt

Half a million records lost? £183m GDPR fine lined up

The UK Information Commissioner's Office has warned British Airways it faces a whopping £183.39m fine following the theft of customer records from its website and mobile app servers.

The record-breaking fine - more or less the lower end of the price of one of the 747-400s in BA's fleet - under European General Data Protection Regulation (GDPR), represents 1.5 per cent of BA’s world-wide revenue in 2017.

Information Commissioner Elizabeth Denham said: "People's personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."

The security breach hit almost 500,000 people. The ICO statement reveals the cyber-intrusion is believed to have started in June 2018, whereas previous statements from BA said it began in late August. The data watchdog described the attack as diverting user traffic from BA's site to a fraudulent site.

ICO investigators found a variety of information was compromised including log-in details, card numbers, names, addresses and travel information.

Sophisticated card skimming group Magecart, which also hit Ticketmaster, was blamed for the data slurp. The group is believed to have exploited third party scripts, possibly modified JavaScript, running on BA's site to gain access to the airline's payment system.

Such scripts are often used to support marketing and data tracking functions or running external ads.

British Airways website

British Airways: If you're feeling left out of our 380,000 passenger hack, then you may be one of another 185,000 victims


The Reg revealed that BA parent company IAG was in talks with staff to outsource cyber security to IBM just before the hack was carried out.

The ICO acted as lead investigator but liaised with several other European Union regulators. It said BA cooperated with its investigation and had now made security improvements to its site.

BA and the other regulators now have 28 days to make representations to reduce the fine.

In response, the airline said it was disappointed in the fine because it cooperated fully and had found no evidence that the stolen cards were used. It said it would make representations and appeal the decision.

The ICO statement is here. ®

Narrower topics

Other stories you might like

  • Google sours on legacy G Suite freeloaders, demands fee or flee

    Free incarnation of online app package, which became Workplace, is going away

    Google has served eviction notices to its legacy G Suite squatters: the free service will no longer be available in four months and existing users can either pay for a Google Workspace subscription or export their data and take their not particularly valuable businesses elsewhere.

    "If you have the G Suite legacy free edition, you need to upgrade to a paid Google Workspace subscription to keep your services," the company said in a recently revised support document. "The G Suite legacy free edition will no longer be available starting May 1, 2022."

    Continue reading
  • SpaceX Starlink sat streaks now present in nearly a fifth of all astronomical images snapped by Caltech telescope

    Annoying, maybe – but totally ruining this science, maybe not

    SpaceX’s Starlink satellites appear in about a fifth of all images snapped by the Zwicky Transient Facility (ZTF), a camera attached to the Samuel Oschin Telescope in California, which is used by astronomers to study supernovae, gamma ray bursts, asteroids, and suchlike.

    A study led by Przemek Mróz, a former postdoctoral scholar at the California Institute of Technology (Caltech) and now a researcher at the University of Warsaw in Poland, analysed the current and future effects of Starlink satellites on the ZTF. The telescope and camera are housed at the Palomar Observatory, which is operated by Caltech.

    The team of astronomers found 5,301 streaks leftover from the moving satellites in images taken by the instrument between November 2019 and September 2021, according to their paper on the subject, published in the Astrophysical Journal Letters this week.

    Continue reading
  • AI tool finds hundreds of genes related to human motor neuron disease

    Breakthrough could lead to development of drugs to target illness

    A machine-learning algorithm has helped scientists find 690 human genes associated with a higher risk of developing motor neuron disease, according to research published in Cell this week.

    Neuronal cells in the central nervous system and brain break down and die in people with motor neuron disease, like amyotrophic lateral sclerosis (ALS) more commonly known as Lou Gehrig's disease, named after the baseball player who developed it. They lose control over their bodies, and as the disease progresses patients become completely paralyzed. There is currently no verified cure for ALS.

    Motor neuron disease typically affects people in old age and its causes are unknown. Johnathan Cooper-Knock, a clinical lecturer at the University of Sheffield in England and leader of Project MinE, an ambitious effort to perform whole genome sequencing of ALS, believes that understanding how genes affect cellular function could help scientists develop new drugs to treat the disease.

    Continue reading

Biting the hand that feeds IT © 1998–2022