British Airways Data Breach

In our latest blog post Freddy Knight, Corporate Account Handler, Stackhouse Poland, looks at the recent British Airways Data Breach.

Data Breach

Another day and yet another high-profile data breach has been flooding our news feeds and inboxes. This time, the ‘World’s Favourite Airline’ British Airways has fallen victim in a breach that has reportedly compromised 380,000 customers’ payment card details.


The Facts

British Airways confirmed that a breach took place between 22:58 BST on 21st August and 21:45 BST on 5th September in which approximately 380,000 transactions were affected.

Data stolen included personal details, payment card information (including CCV numbers) but did not include travel information or passport details.


The Cause

British Airways have not revealed the technical details surrounding the breach but cyber-security expert Prof Alan Woodward, University of Surrey, has given his thoughts to the BBC on potential attack routes. Prof Woodward said “It looks very much like the details were nabbed at the point of entry – someone managed to get a script on to the website.” If Professor Woodward’s thoughts prove to be true, it speaks to entry being gained by a method known as a ‘supply chain attack’.



British Airways CEO, Alex Cruz, told the BBC that hackers carried out a “sophisticated, malicious criminal attack” on its website and confirmed that they were “100 per cent committed to compensating” passengers whose information had been compromised in the breach. Mr Cruz went on to say that “Our number one purpose is contacting those customers that made those transactions to make sure they contact their credit card bank providers, so they can follow their instructions on how to manage that breach of data.”

Shares in International Airline Group, which owns British Airways, dropped by more than 3 percent in the immediate aftermath of Friday’s press release.



As the breach occurred ‘post GDPR’, British Airways could face a maximum fine of either £17m or 4 percent of its global turnover; whichever is the greater. Having reported a total revenue of £12.2b in 2017, British Airways could face a fine of around £488m if the ICO should so wish.

An ICO spokesperson said “British Airways has made us aware of an incident and we are making enquiries”.


Cyber Insurance

Having noted the facts of the breach, let’s have a look at how a cyber insurance policy would act for an incident like this:-


Breach Response

Utilising a 24hr breach response service would be the first step having identified a potential breach. Working with IT security consultants, your insurer will identify the source and scope of the incident and have the source of the breach rectified and your systems secured.


Crisis Communication

Your insurers will liaise with crisis communication consultants to formulate a plan to reduce damage to your customers and brand. Their crisis communication plan may include training for staff in respect of media releases and quick, proper coordination of media relations.


Breach Management Costs

The costs of printing and posting notices to individuals affected by the breach would be covered and some insurers will pay for credit and identity monitoring services if that proves to be the best course of action.


Business Interruption

In the event that the incident renders your systems unusable, and you can demonstrate that you have suffered a financial loss as a direct result of the incident, Insurers will reimburse you accordingly for said loss of revenue. Some insurers also extend cover to include financial losses suffered as a result of system outages of third party suppliers.


Post Breach Costs

Once the fallout of the initial incident has subsided, a cyber insurance policy will pay to mitigate the potential of a future event by way of cyber-security risk assessments and staff training.


The Aftermath and ‘Mental Anguish’

SPG Law, US Law firm Sanders Phillips Grossman’s UK arm, have launched a £475m Group Action against British Airways to obtain compensation for individuals affected by the breach for the distress caused by the misuse of their data. Tom Goodhead, SPG Law Partner, advised that “BA are liable to compensate for non-material damage under the Data Protection Act 2018 and SPG Law will hold them to account”.

Despite most cyber insurance policies having a ‘Bodily Injury’ exclusion, cover can be extended to include claims emanating from mental injury or emotional distress and is intended to cover the likes of the compensation being sought by SPG Law.

It is not clear, at this stage, whether British Airways have a cyber insurance policy in place but what is clear is that the burdens of dealing with a data breach are greatly reduced when you are able to rely on the services of a cyber insurer.


Find out more

If you would like to learn more about how we can help you with cyber insurance, please get in touch.

Call us on 0207 089 2900 or email us at


 What if I have been affected?

Consumer group Which?’s Alex Neill has advised anyone concerned that their details may have been compromised to consider changing their online passwords and monitor their bank and online accounts. She also urged people to be wary of emails regarding the breach as hackers may try to take advantage of incident.

Sources – and