British-Airways Magecart Third-party Breach Leads to a $230 Million GDPR Fine

Last update: January 2021.

According to the Information Commissioner Office in the UK (ICO) a notice has been issued to British-Airways of its intention to fine the airliner $230 million (£183.39M) for “infringements of the General Data Protection Regulation (GDPR)”. Though in late 2020 the penalty was reduced to £20M, the costly plot is not near to an end. As of January 2021, the company is facing a £3 Billion settlement for its 2018 breaches.

The reason for the planned penalty is the 2018’s BA data breach of around 400 thousands customer details. According to the ICO, the September 2018 incident “involved user traffic to the British Airways website being diverted to a fraudulent site. Through this false site, customer details were harvested by the attackers. Personal data of approximately 400,000 customers were compromised in this incident, which is believed to have begun in June 2018″. 

The Never-Ending Costs of a Data Breach

The incident itself was first disclosed by British-Airways by the beginning of September 2018.  According to InfoSecurity, security researchers claimed to have found stolen card details from British-Airways for sale on the darknet just a week after the incident. According the ICO “poor security arrangements” at British-Airways have led to the breach of sensitive data, including credit card information, booking details, names and addresses and user login details of approximately half a million customers.

In October 2020 the UK ICO reduced the BA’s penalty for the 2018 data breach. Instead of the original £183.39M fine, the British watchdog updated the penalty and set it at £20 million, still a significant amount by all standards. But the costly longtail didn’t end there, and in January 2021 the company is facing a painful £3 Billion settlement with the victims of two breaches security breaches, both occurred in 2018. One of them, was the major Magecart attack.

The Magecart Hacking Group

The British-Airways data breach was executed by Magecart hackers, which is considered as the largest skimming group today. Magecart group activities usually involves a hidden injection of a third-party JavaScript code. The false code is aimed to steal payment data that is submitted on checkout pages, and is collected during the process and through payment forms.

In the British-Airways incident the Magecart hackers change a third-party JavaScript called Modernizr – a JS library that is used for enhanced interaction. The Magecart hackers modified it to capture the submitted data from the payment forms, and send it to their designated server which was located in Romania.

One of the Highest Penalties Under Europe’s New Data Privacy Law

In 2018 the ICO fined Facebook $626,000 (£500,000) over the Cambridge Analytica data scandal. At that time, before the new GDPR regulations came into force, it was the highest penalty amount allowed. In June 2019 Italy’s data protection watchdog has issued Facebook a €1,000,000 fine for violating its local privacy law.

Click here to view the full updated notice from 2020.
Image screenshot taken from the ICO notice 

According to the BBC, the £183.39 million ($230M) fine is the biggest penalty the ICO had handed out and the first to be made public under new rules. As mentioned, the fine was reduced to “only” £20 during late 2020, but in January 2021 British-Airways is still making headlines. Unfortunately, for all the wrong reasons. According to Infosecurity-Magazine, this time the aviation giant is looking at a £3 billion(!) settlement with the victims of the 2018’s Magecart devastating attack and an additional data breach that occurred earlier during the same year.

Learn more how to keep your website safe from third-party risks and Magecart attacks.
Book a complimentary meeting with one of experts with one of our experts