Compensation is to be paid to thousands of victims of a large-scale data breach at British Airways (BA).
A legal claim was filed against the airline over a security incident that began in June 2018. Data belonging to around 420,000 people was compromised in a cyber-attack that went undetected for more than two months.
Between June 22 and September 5, 2018, a malicious actor gained access to an internal BA application through the use of compromised credentials for a Citrix remote access gateway.
The breach impacted personal data belonging to British Airways staff and to its customers in the United Kingdom, in the EU, and in the rest of the world. Magecart, a form of digital skimming code, was used by the attacker to collect and steal payment card information, names, and addresses.
An investigation by the Information Commissioner's Office (ICO) found the security measures put in place by British Airways to protect the vast quantities of personal data being processed were inadequate.
In a penalty notice issued to BA in October 2020, the ICO stated: "After gaining access to the wider network, the attacker traversed across the network. This culminated in the editing of a JavaScript file on BA's website (www.britishairways.com).
The edits made by the attacker were designed to enable the exfiltration of cardholder data from the 'britishairways.com' website to an external third-party domain (www.BAways.com) which was controlled by the attacker."
BA, which is a subsidiary of International Airlines Group, was initially slapped with a record-breaking fine of £183m by the ICO for violating GDPR. The fine was later reduced to £20m.
While settling the legal claim brought by some of the data breach victims, British Airways did not admit any liability.
The airline has kept the terms of the settlement under wraps, so it is unclear how much each plaintiff will receive.
BA said it was "pleased we've been able to settle the group action."
Earlier this year, the compensation claim against British Airways was described by a law firm as "the largest group-action personal-data claim in UK history," involving more than 16,000 victims.