2018 British Airways cyberattack

From HandWiki

The 2018 British Airways cyberattack was a cyberattack that affected 380,000 to 500,000 customers of British Airways.[1][2]

Attack

British Airways said the attack affected bookings from 21 August 2018 and 5 September 2018 with credit card details of around 380,000 customers being compromised.[1] The attackers obtained names, street addresses, email addresses, credit card numbers, expiration dates and Ccard security codes - enough to allow thieves to steal from accounts.[1]

One customer of the airline reported that his card had been used to buy items by phone at Harrods while he was in Malaysia.[2] The attempt was rejected - the customer did not think his card was exposed except by this attack.[2]

Aftermath

British Airways urged customers to contact their banks or credit card issuer and to follow their advice.[1] NatWest said that it received more calls than usual because of the breach.[1] American Express said that customers would not need to take any action and that they would alert customers with unusual activity on their cards.[1]

Analysis

The Information Commissioner's Office said that the attack had begun in June 2018.[2]

Consequences for British Airways

British Airways was issued with a £183 million fine by the Information Commissioner's Office, which was the biggest fine issued by the office up to that date.[2] It was roughly 367 times the previous record, which was a £500,000 fine imposed on Facebook over the Cambridge Analytica scandal.[2]

The Facebook fine was the heaviest that could have been imposed at the time - a new law mirroring GDPR had been introduced between the Facebook and British Airways scandals.[2] The fine was 1.5% of the airline's worldwide turnover in 2017.[2] The maximum under the new laws would have been 4% of worldwide turnover, which would have approached £500 million.[2]

CEO and chairman Álex Cruz said the airline was "surprised and disappointed" in the ICO's finding.[2]

In October 2020 British Airways was fined £29 million by the Information Commissioner's Office, considerably smaller than the £183 million fine that the ICO originally intended.[3]

References

See also