British Airways Fined £20 Million After Hackers Steal 420,000 Customers' Payment Details

Between June and September 2018, hackers exploited vulnerabilities in the British Airways website and mobile app to skim the personal and financial details of approximately 420,000 customers and staff. The attack involved injecting malicious code into the BA website that intercepted customer data as it was entered — including names, addresses, payment card numbers, and CVV codes.

The stolen data was sufficient for criminals to make fraudulent transactions on victims' accounts. Many customers only discovered the breach when they noticed unauthorized charges on their bank statements.

The ICO investigation found that BA had failed to implement adequate security measures to protect its website and app. The attackers had exploited known vulnerabilities that could have been prevented with standard security practices.

The ICO initially proposed a record fine of £183 million — the first major fine under the UK's implementation of GDPR. However, after BA made representations and the ICO considered the economic impact of COVID-19 on the airline industry, the final fine was reduced to £20 million.

BA also settled a group litigation claim brought by affected customers, with confidential terms estimated at tens of millions of pounds in additional compensation.

The significant reduction from the proposed fine drew criticism from privacy advocates who argued it undermined the deterrent effect of GDPR enforcement.