British Airways Suffers HUGE Data Breach, Could Face $500+ Million Fine

Filed Under: British Airways

Recently I wrote about how almost two million Air Canada customers were locked out of the Air Canada app following a security breach. Fortunately, only ~1% of those 1.7 million members (around 20,000) actually had their personal data compromised.

Well now British Airways has suffered a much bigger security breach, and I was one of those caught up in it.

I received the following email from British Airways:

From 22:58 BST 21 August 2018 until 21:45 BST 5 September 2018 inclusive, the personal and financial details of customers making or changing bookings at, and on our app were compromised. The stolen data did not include travel or passport information.

The breach has been resolved and our website is working normally.

We’re deeply sorry, but you may have been affected. We recommend that you contact your bank or credit card provider and follow their recommended advice.

We take the protection of your personal information very seriously. Please accept our deepest apologies for the worry and inconvenience that this criminal activity has caused.

UK media is reporting that 380,000 passengers have had their personal information compromised. This is almost twenty times as many people as with the Air Canada breach.

The following information has reportedly been stolen/compromised for customers who made bookings on or the BA app during the timeframe:

  • email address
  • postal address
  • credit card number
  • expiration date
  • CVV

I’m not sure how widely the Air Canada breach was reported in Canada, but this British Airways data breach has been absolute headline news in the UK all weekend.

I would be surprised if Alex Cruz left the BA head office the entire weekend.

Early last week, I redeemed Avios for flights to Europe for next year. So that was within the timeframe identified by British Airways.

I used my British Airways American Express to pay for the taxes and fees for the flights, because I earn double Avios for spending with British Airways.

So I called American Express on Friday, and before I could even enter my card number, there was a hastily pre-recorded message regarding the British Airways breach, saying that they were aware of the problem, that card members would not be liable for any unauthorised transactions on their account, and that card members did not need to take any further action.

I also received the following email from American Express:

Dear Cardmember,

I’m writing to you about the reported British Airways data breach involving personal and financial details of customers being compromised through their web and mobile app.

We want to assure you we have industry-leading fraud protection technology that is continually monitoring for any suspicious activity in order to safeguard you. Also, our Cardmembers are never liable for any fraudulent charges on their Accounts. If you have used your American Express Card to book with British Airways, we are monitoring your Account for you.

There is no action you need to take – we will contact you immediately if there’s any unusual activity with your Account. In the meantime you can continue to use your Card as normal.

If we see any unusual activity which could be fraud, we will contact you immediately. For added protection, you can also sign up for free fraud and other Account activity notifications via email, SMS text messaging, or alerts through our app.

Thank you for your continued Card membership.

EU Data Protection Regulations

In May this year, strict new European Data Protection Regulations came into effect, commonly known as ‘GDPR.’ If you had provided your personal information to any companies operating within the European Union, you may have received various communications around this time advising you about how that company was complying with GDPR.

Here’s what I received from British Airways in May:

So GDPR is only a few months old, and there have been no breaches of the new regulations the size of the British Airways breach so far. Now breaches of GDPR rules can result in penalties of up to 4% of an offending company’s annual turnover (not profit).

British Airways breached GDPR by initially failing to properly notify customers within the required time frame of who they could contact if they had questions about the breach, and what steps British Airways would be taking to deal with the data breach.

So British Airways then (later) sent a second email to customers with this additional information.

The European Information Commissioner’s Office may choose to make an example out of British Airways as the first huge breach of GDPR by penalising them the full 4% of their annual turnover, which could be as much as £500 million, which is around ~$650 million.

IAG (British Airways’ parent company) shares dropped sharply on Friday following the news.

Bottom line

I must admit a chill went down my spine when I first heard the time frame of the breach, because I instantly knew I was within it.

I appreciate American Express reassuring me that I will not be suffering any financial loss as a result of the breach, but I’m wondering if I should be requesting a new card from American Express (i.e. with a new card number and security code) just to be on the safe side, even though American Express has advised that I do not need to do so.

If I do request a new card, in exactly one week’s time I’m going traveling for four months (which I’ll be sharing the details of with you over the coming days) so it’s highly likely the new card may not arrive in time before I leave. It will be my ’emergency’ card because I won’t be using it when paying in foreign currencies.

I’ll be very interested to see what action the Information Commissioner’s Office takes against British Airways as they could be facing a massive penalty. I’ll keep you updated as to what happens.

Of course I expect a few comments about ‘this is why I don’t fly British Airways,’ and I don’t profess to know enough about information security to understand if the data theft was due to negligence of British Airways’ part, or just bad luck. Remember Air Canada suffered a data security breach just a few weeks ago, and as cyber crime becomes more sophisticated we may see breaches like this more regularly.

If you have had your personal data compromised there is a special British Airways page with more information here.

If you were caught up in the British Airways breach what action are you taking? Are you requesting a new card?

  1. Wow $500 million fine? Here in the USA if something like this were too happen the Congress would hold some useless hearings and the president would distract by blaming immigrants or making a big deal about NFL games. Remember only two kinds of Republicans: pure evil or completely stupid. But deserve a punch in the face.

  2. Is it any surprise. We’ve all seen how Rock solid the BA website IT is so I assume this carries into other IT areas. Oh and….Insert bitter liberal off topic Trump hate comment here…

  3. In my experience Amex is the best credit company regarding cybersecurity. Despite nearly all of their other services being downgraded or disappearing (am I the only person that remembers visiting Amex offices in each European city, because that’s the easiest way your relatives could contact you?) – they have maintained ‘having your back’ in these sort of situations.

    Unless Amex recommend it – I would not be changing my card – even though ‘common sense’ (that least reliable instict) says you should.

    Oh, and have a fabulous 4 months of travel. Someone has to keep up Australian’s reputation for outragous lengths of holidays!

  4. A question: aren’t you guys able to create a virtual credit card number associated with your original card in order to do online shopping?
    You are able to create an one time purchase number, date and cvv code.

    It does not solve all the data acquired, but at least you can forget about people using you credit card.

  5. @George: Chase and Amex do not have this feature. One of the other companies (perhaps BOA) does. It is a great security feature that should be expanded.

  6. 4% of gross revenue would only be fined if BA had done nothing to comply with GDPR. If they had made reasonable efforts and completed a cyber risk assessment, I doubt their fine would be over a couple million, if anything at all. These things happen and it’s tough to prove negligence.

  7. I was also caught up in this, I called Amex UK on Thursday evening and requested a new card. They immediately re-issued this, and it arrived in the post on Saturday. Remarkably fast turnaround.

  8. If you have the card in Apple Pay they card there has a different number and can be used after the parent card has been marked compromised.

    Not useful for every situation, but pretty much covers every day-to-day transaction here in Canada

  9. Wow 4 months! That’s awesome!!! Normally when I’ve had fraud activity on my cc (whether it be Chase, Amex, or Citi) they’re quite fast. The majority of the time they tell me that I’ll get the new card within 5-7 business days but I always ask if it’s possible for them to overnight it and 100% of the time they provide it (at no extra charge). That’s in the USA though… so am not sure if that’s the same case for the BA Amex. Good luck!

  10. @james

    Totally agree it ‘can happen’ to any airline like we saw with AC.

    What was bad was BA’s answer: putting it on the banks and basically telling you ‘may’ have been affected. It felt very amateurish. In comparison, Amex answer sounded much more thoughtful, reassuring and competent.

  11. BA was also not following the PCI rules regarding the CVV as a merchant cannot store that data. That would leave them fully liable for any fraud, so as a customer, you would have nothing to worry about.

  12. @James: I think you don’t need to worry missing your (eventual) new Amex card while not at home. Doesn’t Amex provide you with a new card within 24 hours or so by delivery no matter where in the world you are?

  13. I was also affected by this breach. Bought two tickets within that time period. They are being remarkably elusive with regards to compensation. I too canceled my card and had it reissued. Now need to change the number with the auto charges attached to the old card. I real pain. Nothing that 100,000 miles wouldn’t cure though.

  14. This came out the 2nd day into my holiday; to say I was livid would be an understatement. Unable to make contact with anyone about the issue where I am and woefully inadequate information in BA’s email lead to several ruined days worrying. My credit card provider emailed me 2 days afterwards off their own back to say they were issuing a new card… which is great, except it’s 4,000 miles away. Consequently I have not been able to book excursions, etc.

    Well done BA. Ruined a holiday to paradise without even being on one of your delapidated uncomfortable aircraft!

  15. Are you aware the letter on GDPR from May reveals your surname? No worries if you’re cool with that, just mentioning it…

  16. @Debit This is an airline blog, not a place to complain about Republicans.
    If you care enough, you’d stop complaining to us and do something about it.

  17. It’s made very difficult by the fact customers need to speak to frontline staff who can do almost nothing and get the blame

    The CVV should not be stored

    Debit knows nothing about travel, however always comments for reasons unknown to anyone

  18. The old @Debit is back.

    And for US based people who needs some translation. Turnover = Revenue. Profit = Net Income.

    @James – Your data that got stolen are minimal. I wouldn’t worry too much especially with AMEX. They tend to be among the best with customers when things go south. I would just live life like normal and pay attention to charges, like what every person should be doing with any bills. I assume you hardly use the card for other purchases will make suspicious transaction stand out easier. I have been affected by numerous data breach yet the only time I lost faith in the system was Equifax. A year later, no accountability no changes. This is the most impacted breach in the history, those crappy 1 billion Yahoo account (people still use Yahoo???) didn’t get as much sensitive information as this (147 out of 325 Americans lost sensitive data).

  19. Although PCI DSS does say that the CVV2 /CSC/etc should not be stored (anyone calling it a CVV is wrong), the rules can be read to state that it cannot be stored after authorisation, but can be prior.

    Further, depending on the nature of the breach, storage of the value may have nothing to do with how the data was exfiltrated.

  20. I was one of those affected! Right before we leave on vacation this week!(oh yes, leaving our dog who is sick and trying to avoid two hurricanes-YIPPE!) I tweeted BA and they replied they are working on “compensation.” What will that mean?

  21. “I must admit a chill went down my spine when I first heard the time frame of the breach, because I instantly knew I was within it.”

    Son, if a chill goes down your spine because of news of a cyber hack you are going to have to toughen up. There’ll be worse to come as cyber crime increases, mark my words.

    I was also “caught up” in the British Airways incident and I can’t see the point in getting overly exercised about it. The workload I’d scheduled for Friday morning ( 7th September) was disrupted as it took almost an hour to get through to American Express to check the status of my account. When, eventually, I got a reply Amex were professional and reassuring. I’d not be liable should my card details be used fraudulently.

    Take a back step and see what’s going on in the world right now and this incident – as irritating and inconvenient as it is – pales into insignificance compared with major events.

    Given the choice, I’d rather have been at home on the phone to Amex on Friday morning than have been in Hokkaido. Or Idlib. Or Chad.

  22. Connie – I expect compensation will mean being reimbursed for the figure you have lost. If, indeed, you have lost any funds due to fraud.

  23. @ Andromeda – the language you used gets caught in the spam filter and needs to be manually reviewed and approved.

  24. I’m with @Andromeda. People need to realize that consumers are not liable for fraudulent credit card charges. Never use debit for these purchases, so you don’t have to deal with having your bank account drained and needing to get your money back.

    @Lee, you should travel with more than one credit card or debit card to deal with situations like this. I usually have 3+ credit cards and 2 debit cards on a trip.

  25. @george. For a while amex was experimenting with disposable credit card numbers. I loved it even though it was a bit of a pain to use. But they abruptly canceled it after almost a year. Guessing someone figured out a way to abuse it and generate their own disposable numbers.

  26. The Air Canada breach was quietly brushed under the carpet even though it is much more serious than the BA breach. Though inconvenient, credit cards can be much more easily cancelled and replaced, not so much passports and Nexus cards.

    While initially denying that there was any major danger with passport info being breached, AC are now backtracking and offering to cover the cost of a new passport for those affected.

  27. Re. the £500 million fine… Won’t BA just add a few pounds to “carrier imposed surcharges so we can pay for this? Or maybe they could load a few more M&S sandwiches to each flight and use that revenue.

  28. Yes, I purchased a return biz BA ticket SFO-LHR on my AmEx Business Platinum right in the zone, my first purchase to start off my spend for the 100k bonus. Quite deflated after this news; sent a secure message asking AmEx what’s needed, if anything, but sounds like they are on top of it.

  29. @James
    If you do go down the route of getting a new AMEX, you can always have it sent to your hotel so you don’t have to wait 4 months before getting it.

  30. @James. BA is a much bigger airline than Air Canada, that doesn’t make it more serious, just that more were impacted.

    With BA it’s only credit card data which is easily backstopped by the credit card issuer’s own fraud prevention methods. If you want a new credit card, that’s a few clicks on website or a simple phone call away, not so with a passport or Nexus card. This then has a knock on effect to those visas and other immigration documents tied to that passport. That’s just the inconvenience aspect. Now for the serious stuff.

    A passport is what is called in security circles a root identity document, one on which others are based. Next in line is your social insurance and health insurance details and so on and so forth, you get the idea. The Air Canada breach was extremely serious even the Beeb chimed in:

    ****The City of London’s Action Fraud team told the BBC that the “consequences of having your passport information accessed can be severe”.*****

    But sure, some people had their easily replacable CC info hacked…

  31. @James: just want to point out the Information Commissioner’s Office is a domestic UK body, rather than European. It has the authority (and the obligation) to investigate GDPR breaches in the UK.

Leave a Reply

If you'd like to participate in the discussion, please adhere to our commenting guidelines. Your email address will not be published. Required fields are marked *