British Airways fined £183m after customers’ credit card details stolen in major hack

Simon Calder

British Airways has been fined £183m for a data breach in which passengers credit-card data was stolen – but says there is no evidence of harm to passengers.

The Information Commissioner’s Office (ICO) says it intends to issue the airline with a penalty notice under the Data Protection Act.

The proposed penalty is £183.4m, representing 1.5 per cent of BA’s worldwide revenue in 2017.

In September 2018, British Airways’ chairman and chief executive, Alex Cruz, revealed what he called “A very sophisticated, malicious attack”.

Cyber criminals stole personal and financial information from hundreds of thousands of customers who booked direct with the airline over a two-week spell in August and early September.

Details of payment cards, including the number, expiry date and three-digit security code or “card verification value” (CVV) were illegally extracted from the reservations system.

The following month, BA said that passengers who had made bookings through its Avios scheme between April and July 2018 were also at risk.

Customers were told: “If you believe you have been affected by this incident, then please contact your bank or credit card provider and follow their recommended advice.”

The airline said it would indemnify customers who suffered financial harm.

British Airways now says that it has been told of the fine by the ICO.

Mr Cruz said: “We are surprised and disappointed in this initial finding from the ICO.

British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft.

“We apologise to our customers for any inconvenience this event caused.”

BA is part of the International Airlines Group, whose chief executive, Willie Walsh, said: “British Airways will be making representations to the ICO in relation to the proposed fine.

“We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals.”

Under GDPR rules, fines can be up to four per cent of annual global revenue. BA's total revenue in the year to 31 December 2017 was £12.2bn, making the maximum possible fine £488m.

After a cyber attack on TalkTalk in 2015, which affected fewer than half as many customers as the airline breach, the telecom firm was fined £400,000.

The proposed penalty for British Airways is equivalent to just over £4 for each passenger expected to fly on BA this year.