Back in 2020, British Airways was fined by the Information Commissioner’s Office (ICO) for a data breach that affected over 400,000 of its customers. The airline was fined (a then) record £20 million after a security breach of its systems. The breach affected BA customers who booked flights directly via the airline’s website or app resulting in their sensitive information being compromised. 

What Happened in the British Airways Data Breach?

The Information Commissioner’s Office investigation found that BA should have been able to identify the security weaknesses and prevent its systems from being hacked. Astonishingly, the breach was caused by what the ICO described as a failure to implement the most basic of security measures and the lack of cybersecurity testing. BA had left some of its test-phase settings for its system on and the ICO found that the airline’s software code had not been tested or reviewed appropriately. 

In addition, many airlines still have ‘legacy’ booking systems which have been updated to modern standards but their structure and security may not be as robust as new IT systems. To make matters worse, log in details for administrators were not encrypted and were stored on the system in plain text. 

This gave the hackers easy access to all of BA’s databases and systems. As a result, an estimated 400,000 – 500,000 passengers who booked their flights directly via the British Airways website or app had their payment card details accessed by cyber-criminals. Customer data was used by the criminals in part by diverting BA passengers to fraudulent sites. The stolen information included travel plans, email and billing addresses, and even the three-digit security codes found on the back of credit cards. 

What Can We Learn From This Breach?

There are many lessons that can be learned from breaches like this. The first lesson is that cyber-crime is on the rise and both businesses and consumers have to be proactive in securing information. 

Although criminals are using increasingly sophisticated methods to achieve their goals, there are security measures that we can take to make it more difficult for our data to be compromised. There have been multiple instances of airlines and other businesses being hacked in recent years but in this case, BA literally left the door open for the criminals.

In addition to having robust security features in place, organisations need to limit access to critical databases and information systems as well as act swiftly when something goes wrong. Stress testing and auditing of systems should be a priority particularly before a service is launched but it should be continuously checked for weaknesses once in operation.

Lastly, it is also reassuring to see that the authorities have shown that they are willing to act when companies mismanage their customer’s sensitive information. The £20 million fine that BA received was the largest handed out by the ICO at the time and the airline had to improve its IT security and processes. The company also promised to reimburse any customers that suffered financial losses as a result of the breach. Group litigation claims are still ongoing.

If you have suffered a data breach and you would like to understand whether you can make a claim, don’t hesitate to contact us.