As British Airways investigates the theft of customer data from its website, and the airline’s mobile app, one data expert has warned the airline may face fines.

According to the Information Commissioner’s Office, a fine of up to €20 million, or 4 per cent of annual global turnover – whichever is higher – can be imposed. “In practice, the higher maximum amount can apply to any failure to comply with any of the data protection principles,” it states.

The BA breach occured between 21 August and 5 September, with personal and financial details of customers making bookings on and the airline’s app compromised. However, the stolen data did not include travel or passport details.

Some reports state a possible fine could be as high as £500 million – and that 380,000 card payments were affected. BA said the breach had now been resolved, its website was “working normally”, and it is was communicating with affected customers.

Alex Cruz, BA’s chairman and chief executive, said: “We are deeply sorry for the disruption that this criminal activity has caused. We take the protection of our customers’ data very seriously.”

The breach follows a series of earlier IT failures, which saw flights cancelled in July and over the Bank Holiday weekend in May 2017. 

Following the breach, one consultant said there needed to be “more consistency in security and app performance in the airline industry”.

According to Paul Farrington, director of EMEA at app security company CA Veracode: “The BA breach is another example of how, as the amount of personal data held by organisations continues to grow, hackers are finding more sophisticated ways to gain access to this data and use it to make a profit.

“Furthermore, with GDPR now in full force, the board at BA will have to consider their exposure to regulatory fines, especially when it took 16 days for the breach to be detected, and if the financial losses will outstrip what it would have cost to prevent the breach in the first place.

“IT issues are not only affecting BA, but also in the wider airline industry. Airlines have a duty to keep the planes in the air, and the majority of investment goes into that. However, recent outages show investment should also be directed at technology. As airlines become ever more dependent on software, this creates a greater surface for hackers to attack and so it is no surprise that breaches of this scale are becoming commonplace.

Customers are right to be angry. If UK businesses want to avoid becoming the next victim of a breach it is crucial that they take significant steps to secure their software, web applications and networks to ensure that they aren’t their weakest points of attack.” 

Meanwhile, one technology expert at a leading TMC told BBT that the breach was likely a result of an “insider job”, with the culprit likely having had legimate access to data in order to download vast amounts of information in such a short period of time. They added BA could still face a fine, as previously other global corporations had been fined over similar “human element” cases, although it is likely the airline would be able to demonstrate it had the correct GDPR policies in place to the ICO. 

Subscribe to the BBT Newsletter

Join the Buying Business Travel newsletter for the latest business travel news.

Thank you for signing up!