featured image

This article originally appeared in Airways Magazine on July 8, 2019.

MIAMI – British Airways (BA) is facing a hefty £183 million fine from the United Kingdom’s Information Commissioner’s Office (ICO), following the major data breach that hit the airline in 2018, where hackers accessed more than 500,000 passengers’ details.

Alex Cruz, chairman, and chief executive of British Airways, admitted being “Surprised and Disappointed” with the action taken by the ICO.

It is still not clear how the hackers accessed the data last year; however, the watchdog which regulates the GDPR law that came into effect last year, said that they found that the hackers were able to breach the site due to “inadequate security arrangments” from the airline.

Heathrow, British Airways Heritage BEA livery on an Airbus A319, to celebrate BA centenary celebrations, March 2019.

The watchdog said that a wide variety of information is suspected of having been “compromised” by the airline’s poor security.

Back in 2018, British Airways experienced a myriad of breaches. The airline said that the first attack took place between August and September 2018. But later on, the airline disclosed that further breaches may have occurred between April and July.

British Airways clarified that the breached information included “names, email addresses, credit cards information such as credit card numbers, expiry dates and the three-digit CVV code found on the back of credit cards.”

Despite the announcement from the ICO today, however, the watchdog has said that British Airways has co-operated fully with its investigation and made improvements to their security.


The next move will come from British Airways, which has 28 days to appeal against the findings from the ICO.

IAG Chief Executive Officer, Willie Walsh, declared that “we intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals.”

“British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologize to our customers for any inconvenience this event caused,” Walsh said.

But Tim Erlin, VP, product management and strategy at Tripwire, thinks differently. “The size of this fine certainly sends a clear message for GDPR enforcement: protect your customers’ data or pay. If anyone was unclear on how GDPR would be enforced, this fine should deliver clarity,” he said.

“Regulations like GDPR can be used to raise the bar on information security across whole industries, but we are fundamentally talking about criminal activity here, and these regulations also walk a fine line between improving security and blaming the victim.”

Erlin added, “in order for GDPR to remain effective, the supervisory authorities have to levy fines appropriately, and specifically in cases where clear negligence was present. It’s fair to expect organizations to safeguard sensitive data, but even an organization delivering above average protection can fall victim to a sophisticated attacker. Very simply, cybersecurity isn’t a solved problem.”


For all the European Airlines under the new GDPR laws, this news today will stand as a stark reminder of the importance of keeping passenger information safe, while it is not implied it is hard not to see British Airways as a test base for the appropriate action to be taken on companies now.

“If there was any doubt that regulators would enforce GDPR, the ICO’s decision to hand down an unprecedented, if unexpectedly stiff penalty, will surely put that to rest and leave all companies under GDPR anxious about data security and privacy,” said Alex Calic, strategic technology partnerships officer for The Media Trust.

“The message is clear. If you collect consumer data, you’d better make sure it’s safe and know who has access to it. Moreover, reporting a breach and cooperating with regulators after the fact won’t guarantee immunity from the penalties,” he said.

Calic believes that “the problem is most third parties are strangers to site and mobile app owners, yet they often have access to user data and operate outside the site or app owner’s IT perimeter. Companies under GDPR and other data privacy laws on the horizon should retake control of their digital ecosystems. This means closely monitoring their digital assets for any unauthorized parties and activities, as well as working with third parties on enforcing digital policies and rooting out those who break them.”

As the new digital age in aviation looms ahead, only time will tell on where we stop moving toward automation for convenience in the interest of safety, not just in the sky but on the ground.