Back to Cases
cybersecurityAirlines · 2020
British Airways plc
British Airways suffered a 2018 cyberattack in which attackers injected malicious JavaScript onto the BA website that harvested personal and payment card data of approximately 429,612 customers by redirecting users to a fraudulent site during the booking process. The ICO found BA's security measures were inadequate and that the attack could have been prevented with more robust controls including script integrity monitoring and multi-factor authentication. The fine was reduced from an initial notice of £183.39 million due in part to the economic impact of COVID-19 on the aviation sector.
Fine Imposed€23.4M
Authority
ICO-UK
Regulation
UK General Data Protection Regulation + Data Protection Act 2018
Max fineHigher tier: £17.5M or 4% of global annual turnover; standard tier: £8.75M or 2%
Statusactive
Key Takeaways
- Web skimming attacks via malicious scripts are foreseeable threats that organisations must guard against — the ICO expects active monitoring, content security policies, and script integrity verification for any web interface handling payment data.