Stay Legal UK

British Airways facing lawsuit over 2018 data breach


On 16 October 2020, the Information Commissioner’s Office (ICO) released a Penalty Notice against British Airways plc.

It stated that ‘between 22 June and 5 September 2018, a malicious actor (the Attacker) gained access to an internal BA application through the use of compromised credentials for a Citrix remote access gateway. After gaining access to the wider network, the Attacker traversed across the network. This culminated in the editing of a Javascript file on BA’s website ( The edits made by the Attacker were designed to enable the exfiltration of cardholder data from the website to an external third-party domain ( which was controlled by the Attacker.’

BA failed to admit liability for breach of the General Data Protection Regulation (GDPR). However, the Penalty Notice states, ‘the Commissioner has found that BA failed to process the personal data of its customers in a manner that ensured appropriate security of the data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical and organisational measures, as required by Article 5 (1)(f) and by Article 32 GDPR.’

The amount the ICO ‘decided to impose, having taken into account a range of mitigating factors’ ‘and the impact of the Covid-19 pandemic is £20 million.’

It has recently been reported (13 January 2021) that British Airways is now facing a possible £800 million lawsuit over its data breach in 2018. The breach revealed personal details of more than 400,000 of its customers. More than 16,000 people have so far joined the group action represented by London based law firm, PGMBM. PGMBM are currently litigating against other corporations in group actions which includes, Mercedes, Volkswagen, and EasyJet. A website set up to join the group action states that other affected customers and staff of the 2018 breach have until 19 March 2021 to join the claim. It has been estimated that each of the 420,000 affected customers and staff who had their personal information leaked could get £2,000 each in compensation.

The 2018 British Airways data breach highlights how important it is that you comply with the data protection principles of the GDPR, especially the integrity and confidentiality principle: You need to make sure you have appropriate and adequate security measures to protect the data you hold. Failure to comply with this principle can result in substantial financial penalties like the above.

A Lawdit Stay Legal package will ensure that your website is legally complaint, giving you peace of mind. We will conduct a complete audit of your website to see if it needs anything to ensure compliance. We shall provide you with all the documents your website needs tailored to its needs. With a free initial consultation there is no need to delay, so book today!

Stay legal logo large

More From Stay Legal

Share this with your network
Share on linkedin
Share on twitter
Share on facebook
Share on email
Share on whatsapp