BA facing massive fine after huge data theft
Hackers steal credit card details from thousands of airline customers
British Airways is facing a multi-million-pound fine after a massive data breach which the airline’s chief executive has described as a “malicious criminal attack”.
Thousands of BA customers have had to cancel their credit cards after the data hack – which took place between 11pm on 21 August until 9:45pm on 1 September – compromisedaround380,000 payments.
A criminal inquiry is being led by specialist cyber officers from the National Crime Agency (NCA).
Those behind the attack obtained enough credit card details to use them, and BA now faces a possible fine of around £500 million over the breach, with the Information Commissioner’s Office (ICO) also investigating the incident.
The data breach at the airline took place after the introduction of the latest Data Protection Act, which includes the provisions of the new European General Data Protection Regulation (GDPR).
Under the new regulations, the maximum penalty for a company hit with a data breach is a fine of either £17 million or 4 per cent of global turnover, whichever is greater. In the year ended 31 December, 2017, BA’S total revenue was £12.2 billion, meaning the company could face a fine of around £500m.
The NCA said investigations of this type are “often complex and take some time before the full details can be established”.
It also warned that “opportunist criminals” often use these incidents to conduct secondary fraud attacks.
Alex Cruz, BA’S chairman and chief executive, said: “There was a very sophisticated, malicious criminal attack on our website. We became aware initially on that day, and we began to work on it. ”
Shares in IAG, BA’S parent firm, were down more than 3 per cent in morning trade as investors digested the news.
Mr Cruz went on to apologise for the failure, adding that BA is “100 per cent committed” to compensating customers who are financially affected.
He said: “We’re extremely sorry. I know that it is causing concern to some of our customers, particularly those customersthatmadetransactions over Ba.com and app.”
He added: “We know that the information that has been stolen is name, address, email address, credit card information – that would be credit card number, expiration date and the three-letter code on the back of the credit card.
“No itinerary information, no frequent flier data, no passport data has been compromised.”