British Airways Pays Thousands of Victims as Part of a Data Breach Settlement

 British Airways reached a settlement agreement with the victims of a data breach the company experienced in 2018 and will pay out damages to thousands of victims.

Data Breach Details

According to public records, British Airways faced a substantial class-action lawsuit following a data breach that occurred in June 2018. Information for 420,000 of their customers was exposed in the data breach.

A bad actor gained access to British Airways’ servers and continued to snoop around the system from June until September 5, 2018, when the infiltration was discovered. The hacker gained access by using stolen credentials for a Citrix remote access gateway.

According to Infosecurity Magazine “The breach impacted personal data belonging to British Airways staff and to its customers in the United Kingdom, in the EU, and in the rest of the world.  Magecart, a form of digital skimming code, was used by the attacker to collect and steal payment card information, names, and addresses.”

Following the data breach, the Information Commissioner’s Office (ICO) performed a full investigation and found British Airways guilty of not implementing proper security protocols to prevent such an intrusion.

The ICO issued British Airways a penalty notice in October 2020, stating that “After gaining access to the wider network, the attacker traversed across the network. This culminated in the editing of a JavaScript file on BA’s website (www.britishairways.com).

The edits made by the attacker were designed to enable the exfiltration of cardholder data from the ‘britishairways.com’ website to an external third-party domain (www.BAways.com) which was controlled by the attacker.”

The ICO initially slapped British Airways with a £183m fine for violating the GDPR but later reduced it to £20m.

The Lawsuit

Soon after the data breach, lawyers filed a class-action lawsuit on behalf of 16,000 of the victims. British Airways maintains that they did nothing wrong and never admitted any guilt. The lawyers heading up the legal claim described it as “the largest group-action personal-data claim in UK history.”

However, they recently came to an agreement, and British Airways decided to settle. The details of the agreement are sealed, so it is unclear how much each victim will receive.

In a public statement, the airline stated that they were “pleased we’ve been able to settle the group action.”

What About the Other Victims?

The data breach affected hundreds of thousands of victims. Threat actors gained access to the customers’ names, addresses, payment card information, and more. The data stolen was plenty for hackers to commit identity theft and fraud. The class-action lawsuit only covered 16,000 of the many victims. Regardless of whether or not they were included in the lawsuit, all of the victims should protect themselves by taking the following steps if they have not already:

• Change all online passwords, especially those connected to britishairways.com.
• Cancel credit or debit cards and request new ones.
• Report the identity fraud to the three credit reporting agencies (Equifax, TransUnion, and Experian).
• Put a credit freeze on their credit reports.
• Watch out for scam phone calls, suspicious mail, or any offers related to BA.
• Never click links or download attachments in email, even those that appear to come from a legitimate source.
• Regularly monitor all bank accounts, credit card statements, and credit reports looking for anything suspicious.
• Do not give out personal details to anyone unsolicited.
• Do not click ads on social media.
• Keep strong antivirus software on all devices and run deep scans often. After a data breach, victims are often targeted for other types of fraud.