Incident Responsehigh

British Airways GDPR Fine: The First Major Enforcement Sets the Tone

British Airways was fined £20 million under GDPR after a 2018 breach where Magecart card-skimming code was injected into their booking page for two months, stealing 500,000 customers' payment details. The ICO's investigation found multiple security failures.

British Airways·2019·2 min read

Background

British Airways' website was compromised in August 2018 by Magecart — a group that injects malicious JavaScript into payment pages to steal card data. The initial ICO intention was to fine BA £183 million — 1.5% of its annual revenue. The final fine of £20 million was reduced due to COVID-19 economic impact.

The Attack

Attackers injected 22 lines of JavaScript into BA's booking page that copied payment card data, names, addresses, email addresses, and login credentials and sent them to a server in Romania. The skimming script operated for 58 days before BA discovered it. The ICO investigation found that BA had inadequate security controls including no multi-factor authentication on critical systems, inadequate access controls, overly broad access permissions, and insufficient monitoring and logging.

Response

BA discovered the breach in September 2018 and notified the ICO within 72 hours as required by GDPR. The company notified affected customers and offered fraud monitoring. The ICO investigation took over a year. BA appealed the initial £183 million fine, and it was ultimately reduced to £20 million.

Outcome

The BA fine was the first large GDPR enforcement action (the £20 million was the largest ICO fine in history). It established the precedent that GDPR enforcement would focus on systemic security failures, not just the breach itself. The 72-hour notification was praised.

Key Takeaways

  1. Third-party JavaScript on payment pages must be monitored for modification — Magecart attacks are extremely common
  2. MFA on all systems with access to customer payment data is a GDPR requirement, not a recommendation
  3. GDPR's 72-hour notification clock starts from knowledge of a breach, not discovery of its full scope
  4. Subresource Integrity (SRI) hashes prevent unauthorised modification of JavaScript loaded from external sources
MagecartGDPR fineJavaScript injectionICOcard skimming

More in Incident Response

2013critical

Target Breach IR Failure: Security Team Saw the Alerts and Did Nothing

2 min readIncident Response
2017high

GitLab Production Database Deletion: 5 Failed Backups and a Live Stream

2 min readIncident Response
2016critical

Uber 2016 Cover-Up: Paying Hackers $100,000 via Bug Bounty to Hide a Breach

2 min readIncident Response