British Airways has been slapped with a record-breaking GDPR fine for its 2018 data breach that impacted around half a million customers.
The breach in question occurred over the summer of 2018. Hackers succeeded in gaining access to the BA website and inserted code that allowed them to skim credit and debit card numbers as they were entered by customers.
The attack is believed to be the work of a hacking group called Magecart which specializes in card skimming attacks. Magecart has conducted many attacks on poorly secured websites, including the attack on Ticketmaster in June 2018. In this case, the breach was due to a cross-site scripting attack on the website
The cross-site scripting attack was initially thought to have involved around 380,000 booking transactions on the website between 21 August and 5 September 2018. The breach was reported to the UK Information Commissioner’s Office (ICO) and customers were notified the day after the breach was discovered.
The ICO investigation revealed the breach most likely started in June 2018 and was made possible due to poor security at BA. As a result of security vulnerabilities, the hackers were able to place code on the website that allowed names, email addresses, and full card details to be compromised by the attackers. According to ICO, the breach resulted in the theft of around half a million customers’ financial data.
BA cooperated fully with the ICO investigation and has already implemented a range of additional security measures to prevent further breaches. BA has also offered to cover the cost of any losses suffered by customers as a direct result of the breach.
The £183 million ($219 million) fine eclipsed the previous record breaking fine of £500,000 issued to Facebook over the Cambridge Analytica scandal. Had that breach occurred after the May 25, 2018 GDPR compliance date, the financial penalty for Facebook would have been substantially higher. Under the EU’s old data protection and security rules, the maximum financial penalty was £500,000. Under GDPR, the maximum fine has been increased to €20 million or 4% of global annual turnover.
A spokesperson for BA’s holding company, International Airlines Group (IAG), said the he was “surprised and disappointed” about the fine, although it could have been substantially higher. BA was fined 1.5% of its global annual turnover for 2017. A fine of around £500 million was possible, or considerably more if the holding company was determined to be at fault.
BA will be launching an appeal in the next 28 days and will attempt to have the fine overturned or reduced.